Google Adds New Protections Against Phishing Attacks

In response to the recent rise of phishing emails, including a widespread attack targeting Gmail users, Google has added a number of new security features to help its users defend against scams.

Google will now present users with interstitial screens that warn about unverified apps that could be designed to steal information while posing as legitimate services, while also subjecting apps and scripts to a new screening process.

Read: Google Docs Phishing Scam: How Can You Protect Yourself From Phishing?

The new unverified app warning will appear for all web apps that attempt to connect to a Google user’s account. Attempting to open the app in the Google Chrome browser will prompt a screen with a red warning sign that informs the user the app isn’t verified.

“This app hasn’t been verified by Google yet,” the warning reads. “Only proceed if you know and trust the developer.” The warning features two options that the user can select: return to safety, or open an “advanced” menu that provides an additional warning about the risks of using unverified apps.

If the user truly wants to use the app, they have to verify it by typing the word “continue” into a text box. At that point, Google will take the user to the app, leaving them to fend for themselves after providing ample warning.

Google’s verification process should help users figure out if an app can be trusted or not. While all new apps will be required to go through the process, some existing apps will also be subject to the scrutiny.

Read: Google Docs Phishing Scam: Email Attack Hijacks User Accounts By Posing As Google Docs

Google will also add similar warning screens to its Apps Scripts, which are used to allow custom macros and add-ons for the company’s productivity apps like Docs and Sheets.

We’re committed to fostering a healthy ecosystem for both users and developers,” Google said of the new security efforts. “These new notices will inform users automatically if they may be at risk, enabling them to make informed decisions to keep their information safe, and will make it easier to test and develop apps for developers.”

Google’s new warning screen for apps comes just two months after a widespread attack against Gmail users managed to hijack accounts by tricking users into granting account access to a compromised app.

The attack used masked email addresses to send an official-looking email inviting the victim to edit a Google Docs document. When a user clicked on the link to access the document, it would ask them to grant approval to an app named Google Docs. That app was not the official Google app, but a malicious version designed to trick the victim.

The app asked for access to the user’s account—including reading, sending, deleting and managing emails and full access to a user’s contacts. If granted access, the attack will then send similar emails to a user’s contacts in hopes of tricking them into making the same mistake.

Because the attack gained access to a user’s account through official means—though by misrepresenting itself—it could bypass typical security measure likes two-factor authorization and login protections.