A Defensive Computing Checklist    by Michael Horowitz

HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

GMAIL

Consider your Gmail password critically important. Never tell it to anyone. Do not use your Gmail password for anything else. If there is a chance you might forget it, write it down on paper twice and store each copy in different secure places.

TECH SUPPORT

To me, the biggest issue with Gmail is that it is free. Any free service comes at the price of no technical support. If something goes wrong with Gmail (or your Google account) tough luck. In my opinion, email is important enough that it is worth paying for, just to get technical support.

• We saw a stark example of this in August 2022, when a father was banned by Google for taking pictures of the rash on his toddler to send to a doctor (A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal). There are many aspects to the story, but the one I want to emphasize here is that this was clearly a mistake by Google. The Police opened a case and closed it quickly as any person could easily tell it was a mistake. But there was no person at Google to talk to.
• In May 2023, Lauren Weinstein wrote about a 90 year old woman who forgot her Gmail password. TLDR: tough luck. This serves as a Defensive Computing warning to make sure the Gmail recovery email address for your account is valid. And, maybe, to have a recovery phone number too. The story again emphasizes that there are no people doing tech support at Google. An Example of a Very Sad Google Account Recovery Failure - and How It Affects Real People

AUDIT YOUR ACCOUNT LOGINS

Every now and then, you should audit the logins to your Gmail/Google account to insure that no one else has logged on to your account. You can do this at the Gmail website:

1. Click on your profile photo in top right corner (this might instead be your initial, if you never gave Google a photo)
2. Then click Manage your Google Account
3. Then click Security in the vertical stripe on the left
4. Review the Recent security activity

BEWARE THIS SCAM

September 8, 2024: Gmail Account Takeover: Super Realistic AI Scam Call by Sam Mitrovic. The story of a super realistic AI scam phone call that could trick a vast number of people. The scam starts with a fake notification to approve a Gmail account recovery attempt. This was shortly followed by a missed phone call where the number showed as being a valid Google phone number. Never forget, callerid can be faked. A week later, another fake notification to approve the potential victims Gmail account recovery. Again, this was shortly followed up with a phone call that the victim, this time, answered. Scammer on the phone says there is suspicious activity on the account. Note that this is a very common claim in the world of scams. Scammer on the phone says someone logged in to the victim account from Germany (victim is not in Germany). Scammer on phone says that someone has had access to the victims account for a week and that they have downloaded the account data. Scammer sends an email, and I note again, that spoofing an email address is possible. Turns out the voice on the phone was an AI. Bad guys were using Salesforce CRM which allows you to set the sender to whatever you like and send email using Gmail/Google servers. Had the victim approved the account recovery notification, the bad guys would have gained control of the account. Note that Google does not call Gmail users if you don’t have Google Business Profile connected. Also know that you can verify if someone else has logged into your account: click on your Gmail profile photo in top right corner -> Manage your Google Account -> Security -> Recent security activity.

ASSORTED

• Google has an Advanced Protection Program that safeguards people with high visibility and sensitive information from targeted online attacks. I have not used it but it appears to be a big step up the security ladder. Google suggests that journalists, activists, business executives, and people involved in elections enroll in this. Enrolling requires either a passkey or a FIDO compliant security key, such as the Google Titan Security Key. The service is free.
• The Best Gmail Settings You Might Not Have Used Yet by Eric Ravenscraft for Wired (March 2021). Some topics mentioned: Change Undo Send Time Limit, Confirm Actions on Mobile, Unread Message Icon and Customize Your Keyboard Shortcuts.
• December 17, 2022: Google introduces end-to-end encryption for Gmail on the web by Sergiu Gatlan for Bleeping Computer. The feature ensures that the body of an email and attachments (including inline images) can not be decrypted by Google. Only for enrolled Google Workspace users, who can to send and receive encrypted emails within and outside their domain. This was already available for users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (beta). At the time the article was written, the feature was available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers.

• To block email sent from a domain: starting at the gmail.com website, enter "from:badguys.com" in the search box (obviously just an example) and hit enter to insure the selection works. Then click on the icon on the search bar just to the right of the X (it is Search Options). Click Create Filter at the bottom of the window that pops up, then chose to either Delete all messages from the domain or archive them or assign them to a category. More here: How to block a domain in Gmail by Bryan Clark for Laptop Magazine (November 2022)
• If you get a malicious email from a Gmail user, you can report it here: I would like to report a Gmail user who has sent messages that violate the Gmail Program Policies and/or Terms of Use. The form asks for the full email header, which is normally hidden. In Thunderbird, use View -> Message Source. Or, forward the message to abuse@gmail.com.
• To change the time period when you can undo a Sent message: at gmail.com, click the gear in the top right corner -> See all settings -> General tab (should be the default) -> Undo Send.
• How to recover your Google Account or Gmail from Google. Hopefully, you never need this.
• If you use two factor authentication with Gmail, good for you. Should something go wrong with the second factor, Google offers a fallback using backup codes. See Sign in with backup codes from Google.
• May 2019: Google uses Gmail to track a history of things you buy by Todd Haselton and Megan Graham of CNBC. The story said you needed to delete the Gmail message to remove a purchase. However, later research found that there is no way to delete your purchase history. And Google also tracks your Reservations, Subscriptions and Payment Methods. See it all at myaccount.google.com/payments-and-subscriptions. From Google: See your purchases, reservations and subscriptions. The day before flying recently, Uber offered me a discount for getting to the airport. Gmail told Uber about my trip, I found it in the reservations and confirmations page.

CONFIDENTIAL MODE

What: It is an attribute of individual messages that lets you set an expiration date for sent messages, revoke access to sent messages, and optionally set a password for a sent message. In addition, recipients of confidential Gmail messages are prevented from forwarding, copying, printing and downloading the message. Invoke it while composing a message by clicking on a very small image of a padlock and a clock. The recipient does not need to use Gmail.

But: The recipient can take a screen shot. Message passwords require that you provide a cell phone number for the recipient because the password is texted to them. So, arguably less confidential than normal. Google does not say whether they can read the messages, which means they can.

1. Watch out for Gmail's new Confidential Mode by Mike Elgan for Computerworld (May 2018). Elgan says that this is neither secure nor email.
2. Send & open confidential emails from Google

AVOIDING GMAIL

1. I moved my Gmail to a less creepy email. It was surprisingly easy. by Shira Ovide in the Washington Post (June 27, 2023). Ovide describes how she easily moved 15 years of email messages from Gmail to Proton Mail. Proton offers an Easy Switch feature with instructions on how to move your messages from Gmail, Yahoo or Microsoft’s Outlook. She considers Proton trustworthy and I agree.
2. 5 Reasons to Ditch Gmail for ProtonMail by David Nield for Gizmodo (March 2021). The article is wrong about End-to-end encryption. It only applies to messages between two ProtonMail users.
3. How to Migrate from Gmail to ProtonMail by ProtonMail (undated). The steps: Transfer existing emails, Set up email forwarding, Transfer contacts, Inform your contacts and Update online accounts.
4. Privacy-Conscious Email Providers from PrivacyTools.io
5. These 4 Gmail alternatives put your privacy first (Fastcompany Aug 2019)

Copyright 2019 - 2025