Despite the fact that security technologies continue to improve, phishing continues to be a threat. So, Google has announced several plans to combat phishing at Google I/O 2022.
To help protect users from phishing attacks, the search giant extends phishing protection to Google Docs, Sheets, and Slides while continuing to automatically enroll users for two-factor authentication.
As businesses and end users become more aware of the risks of phishing, multi-factor authentication (MFA) has become a particular focus for cybercriminals. For example, they try to phishing SMS codes directly by following a legitimate “one-time password” with a spoof message asking the potential victim to “reply with the code you just received”.
according to new blog post Attackers at Google are also leveraging more sophisticated dynamic phishing pages to carry out relay attacks that think users are logging into legitimate sites. However, instead of deploying a simple static phishing page that steals a user’s credentials, an attacker deploys a web service that logs the user into a real website while at the same time falling into the phishing page.
This kind of attack is particularly difficult to prevent because authentication issues presented to the attacker (such as SMS code prompts) are also passed on to the victim. The victim’s response is then passed back to the real website, and the attacker actually uses it to solve any other authentication issues that may arise.
Security keys, like Google’s own Titan security key, can help prevent phishing by verifying the identity of the website you log in to, but not everyone wants to carry an additional physical device to log into every online account.
That’s why Google is building these same features into Android smartphones and iPhones. Unlike physical FIDO security keys that must be connected via USB, this search giant uses Bluetooth to ensure that a user’s smartphone is close to the device they’re logging into. This also helps prevent “man in the man-in-the-middle” attacks that can still work from SMS codes or Google prompts.
At the same time, Google is working to make the old Google Prompt problem anti-phishing by asking users to match their PIN code to what they see on the screen, in addition to clicking “Allow” or “Deny”. Companies are starting to experiment with more complex issues for higher risk situations when they see users logging in from a computer that could be a part of phishing, or when a user asks their phone to join the same Wi-Fi network as their computer. Log in at
With these new phishing protections and proper training, employees and consumers alike can prevent theft of their credentials and online accounts.