Gmail 2FA Cyber Attacks—Open Another Account Before It’s Too Late

by · Forbes
Open a second Gmail account nowSOPA Images/LightRocket via Getty Images

Update, Nov. 05, 2024: This story, originally published Nov. 04, now includes step-by-step details regarding the use of Google’s Advanced Protection Program, as well as a Google security checkup tool tomorrow further safeguard Gmail accounts.

Google really does take your security seriously and has been proving as much by the swathe of increasingly sophisticated protections against cyber attack it has introduced in recent months. With an estimated 2.5 billion active users, one of the main targets for hackers is your Gmail account. As reports of the latest session cookie stealing, two-factor authentication bypassing, cyber attacks against Gmail users flood in; there’s one surprisingly simple defensive action you can take right now to help protect your email. However, you need to do it now as otherwise it could be too late to help you if you fall victim to a 2FA-bypass Gmail attack: open a second Gmail account and add one rule to protect your data.

Open A Second Gmail Account To Backup Your Email Data

Imagine waking up to find that your Google account has been hacked and you are now locked out of access to your Gmail inbox as a result. For far too many people, that nightmare vision is all too much a reality as hackers employ session cookie-stealing techniques to bypass 2FA protections attack. Cybercrime agencies quite rightly warn users of online accounts to protect them with 2FA wherever it is available as an option. Google has introduced secure passkey sign-in access across devices and includes safe browsing protections for Chrome users. Yet still the attackers deploy increasingly sophisticated methods to get around those protections including, as I recently reported, tools to bypass even the stringent application-bound encryption process Google has in place to prevent cookie theft.

So, how does opening a second Gmail account help prevent 2FA-bypass cyber attacks? The brutal truth is that it doesn’t. It can, however, help mitigate the impact of such an attack. All the mitigations mentioned in this article still apply, and I heartily recommend that you ensure they are in place before doing anything else.

The impetus to write this article was a question posed in the Gmail subreddit by a Gmail user whose main account had been compromised, despite having 2FA in place, and wanted to know if setting up a second account could be done without it being compromised by the same threat actor.

Rather than prevent a security compromise, a second Gmail account can act as a backup to the important and often irreplaceable information that your email inbox contains.

How To Securely Setup A Second Gmail Account

With Google offering Gmail as a totally free web-based email platform, setting up multiple accounts is incredibly easy. I myself have lost count of the number I have, although I only use two or three regularly. The account creation process is as simple as one, two, three:

  1. Sign out of your Google Account.
  2. Go to the Google Account sign-in page.
  3. Click on create account.

To ensure that this new account is as secure as possible, and less likely to be compromised by a threat actor who successfully attacks the original one, use a passkey tied to a different device than the first, or two-factor authentication that uses a standalone 2FA code-generating app rather than via SMS to the same telephone number as previously. Indeed, try and use as much completely unique information as possible when creating the new account. Once you have the account created, then head to your original Gmail account settings and set up a forwarding rule that sends a copy of all email to the second account. This way you’ll have a backup should the worse happen. Remember, by applying the sensible mitigations detailed in those linked resources and not adopting insecure habits, your account should be safe from attack.

If someone did manage to hack your original account, and it is forwarding email to your second Gmail account, that doesn’t mean both will be compromised. As these are separate accounts, the hacker would need to compromise them as separate entities. Here’s hoping you never get your Gmail account compromised, but it’s always good to have a plan just in case.

Google’s Advanced Protection Program Can Help Secure Your Gmail Accounts

And talking of plans, I would also recommend signing all your Gmail accounts up to Google’s advanced protection program, which makes it much harder for anyone to compromise those accounts in the first place, providing additional layers of security when recovering a compromised account for good measure.

Enrol in Google's Advanced Protection Program for the strongest Gmail account defenseGoogle

Originally rolled out in 2017, Google’s Advanced Protection Program came into being as a response to the increasingly sophisticated evolution of phishing schemes and other cyber attack methodologies targeting “high-risk users” such as politicians, activists, dissidents, high-worth individuals and journalists. As the latter of these, I signed up early doors and now advise everyone who is concerned about the security of their Google account and subsidiary products such as Gmail and Drive that hang from it to do the same.

The main downside, historically, has been the cost of entry to this free advanced security club: the purchase of a pair of hardware security keys. Now, however, membership really is free as Google enables enrollment using passkeys instead. “Passkeys give high-risk users the option to rely on the ease and security that comes with using personal devices they already own,” Shuvo Chatterjee, the product lead of Google’s Advanced Protection Program, said, “as opposed to another device or tool like a security key, for phishing-resistant authentication.”

How To Sign Up To The Advanced Protection Program And Add Another Layer To Your Gmail Defenses

Advanced Protection Program enrollment really couldn’t be any easier:

  • Visit the APP start page and click on Get Started.
  • Verify your identity by using your existing passkey.
  • Add a recovery phone number that you trust and can be verified.
  • Add a recovery email address that you trust and can be verified.
  • Hit the enrollment button.
Google

When you initially sign into your Google account on any device, you must use your passkey. APP performs additional checks on downloads, if you attempt to download a potentially harmful file you will be notified or the download blocked. If you are using an Android device, APP only allows downloads from verified app stores. Advanced protection also restricts the data that apps, both Google and verified third-party ones, can access. Most non-Google apps and services are blocked from accessing data from your Gmail account. “If anyone tries to recover your account,” Google said, “Advanced Protection takes extra steps to verify your identity.” This means that it can take a few days to verify that you are who you say you are and get access to your Google account back.

Take The Google Security Checkup And Keep On Top Of Your Gmail Account Protection

At the risk of sounding like a broken record, and I’m not going to apologize for it as this is essential stuff, you need to keep on top of all aspects of Google account security if you want to be in the best position when it comes to protecting your Gmail account. As is the case with the advanced protection program, some of the simplest and most effective account security tools at your disposal come from Google itself and cost absolutely nothing other than a small amount of your time.

Google’s security checkup feature is one of those free tools that is so often overlooked by many users as it requires a few minutes of precious time to complete properly. The question is, as Clint Eastwood once said, “do you feel lucky?” Seriously, do you want to take the chance that there are only five bullets in your Gmail security six-shooter? All in order to save five minutes? If there’s one thing that Google has got wrong when it comes to the security checkup tool is that while it’s free to use it isn’t mandatory to complete.

Please don’t wait for the next time Google pops up a polite invite for you to go check your security details, take the initiative and head to the Google account security checkup tool straight after reading this. You can thank me later.

Google’s Security Checkup, Step-By-Step For Gmail Users

Let’s look at what is involved in taking the Google security checkup. Make sure that you are signed into your Google account; if you have multiple accounts and Gmail addresses, then you’ll need to ensure you have switched to the right one perform the checkup for. I’d recommend doing them all in one sitting and get it over with, to be honest.

The checkup process will start as soon as the tool has loaded, having already analyzed the necessary settings in the background while doing so. You will see a list of items, each with a distinct icon next the entry. This iconography provides a quick view of the urgency of any recommendations being made to improve your account security. Again, I’d recommend going through them all in order anyway, as you can never be too sure and doing so helps you to understand what the security issues are even if you are already protecting against them.

Google's security chekup tool main interfaceGoogle

Hitting the dropdown arrow next to each entry will expose Google’s recommendations. In this example, the first is to turn on safe browsing protections.

Turn on safe browsing protection for your accountGoogle

You might find, as in this example, that email forwarding is flagged as a potential security issue. Considering that this entire article hinges around forwarding email from one Gmail account to another, let’s take a closer look at this recommendation.

Email forwarding is flagged as a recommendation by Google's security checkup toolGoogle

Expanding the Gmail forwarding recommendation shows us that email messages received by the Gmail account in question are automatically forwarded to another address. This is a setting I have made myself so it’s all good, but if you don’t recognize an email forwarding rule then delete it on the spot as it could be a sign someone has compromised your account at some point and set this up as an email surveillance method.

Gmail automatic email fordwarding rule security checkGoogle

There is also a “more settings” dropdown arrow which you should take the time to look at. This is where any addresses used as a destination for people who reply are displayed, as well as the address shown as the “from” when sent. There will also be a list, in my case a very long list, of email addresses that have been blocked. Again, with the latter of these, it’s worth taking a look in case there are any addresses being blocked that you don’t know about and which you would want to get email communication from.

Check the devices that have been logged in from for anything you don't recognizeGoogle

The “devices” section will display a list of all the devices that your Google account has been logged into from. The details will show such things as the last active date as well as the location., which can help you be alert to anything that is out of place. You should recognize all the devices, if you don’t then If you don’t then a massive red flag should be waving in front of you as it could mean this belongs to someone who has hacked your account. Again, it’s just a one-click option to remove any of the devices that are shown. Don’t worry if you make a mistake and remove a device you should have kept; it will ask you to verify your identity, and log in again, including any 2FA option, the next time you try and connect using it.

Think of Google’s security checkout tool as a one-stop shop for beefing up your Gmail protection against hackers, stalkers and anyone who doesn’t have your best interests at heart, and you won’t go far wrong.