Cybercrime Agency Issues New 2FA Warning For Gmail, Outlook, Facebook And X Users

Update, Oct. 18, 2024: This story, originally published Oct. 16, includes details of a new Fast Identity Online Alliance protocol and new security fixes for the Google Chrome web browser.

Those who would attack your email and social media accounts have proven to be early adopters of evolving technology, such as large language models and AI-generated chat, in order to hack and scam their victims. Last week, a story I published about a security consultant who very nearly got caught out by a highly sophisticated, AI-powered, hacking attempt against his Gmail account went viral. This week, a team of researchers released details of the sheer volume of malicious apps that found their way onto the official Google Play Store last year. And now the Action Fraud team, operated by law enforcement in the U.K., has issued a warning to users of all email and social media platforms about ongoing threats that have cost more than 33,000 victims in excess of $1.8 million in fraud after their accounts were hacked. Here’s what you need to know and what you must do right now to protect your Gmail, Outlook, Facebook and X accounts.

Action Fraud Warns All Users To Protect Email And Social Accounts With 2FA

The U.K. national fraud and cybercrime reporting center, Action Fraud, is run jointly by the City of London Police and the National Fraud Intelligence Bureau. When these people issue a warning, it’s advisable that you take them seriously, regardless of what country you happen to be in. Although the reporting service is purely for U.K. cybercrime reporting in England, Wales and Northern Ireland, the advice given is applicable pretty much wherever you are in the world.

MORE FOR YOU
Google’s Update Mistake Confirmed As Millions Of Pixel Owners Install Android 15
Today’s NYT Mini Crossword Answers For Friday, October 18
Comet Tracker Tonight: When, Where And How To Find It On Friday

I can’t think of an example that represents this better than the warning issued as part of Cybersecurity Awareness Month to users of all email and social media platforms to protect their accounts from hackers, scammers and fraudsters. The number of victims quoted, along with the financial losses, relate to a single 12-month period ending in August 2024, and only cover attacks that were actually reported to Action Fraud covering the previously mentioned geographic area. However, it’s a large enough statistic, when multiplied around the world, to not only take notice of but react to. Which is why Action Fraud is taking to social media to encourage people to better protect their Gmail, Outlook, Facebook and X accounts.

“Cyberattacks and hacking are carried out by faceless cybercriminals who target unsuspecting victims looking to take advantage of unprotected social media and email accounts,” Adam Mercer, the deputy director of Action Fraud, said. “If you have the option, enable 2-step verification to ensure you have twice the protection for all your accounts.” Two-step verification, often referred to as two-factor authentication, cannot guarantee account security, but it sure makes it a lot harder for hackers and scammers to get into your accounts.

Check your email and social media platform support pages for details of how to activate 2FA.

Using Passkeys To Bolster Account Protection Is Getting Easier

The Fast Identity Online Alliance has been building partnerships since 2012 to address what was, and to some extent remains, a lack of interoperability among the robust authentication technologies that exist. This is vital work, and the moves that FIDO has made across those 12 years are beginning to make a big difference when it comes to protecting user accounts. A new credential exchange protocol that FIDO, along with partners including Apple, Google, Microsoft and Samsung as well as password management vendors 1Password, Bitwarden, Dashlane, Enpass, NordPass and Okta, are working towards has now been published. At least in a “working specifications” guise.

The new protocol is designed to bring secure, as in end-to-end encrypted secure, passkey transfers between vendors. Passkeys add an extra layer to the authentication process that outperforms user credentials such as username and passwords when it comes to secure account login and user authentication. In many ways, you can think of passkeys as wrapping up login and 2FA in one easier to use and more secure technology. “Sign-ins with passkeys reduce phishing and eliminate credential reuse while making sign-ins up to 75% faster,” a FIDO spokesperson said, “and 20% more successful than passwords or passwords plus a second factor…”

Ensure Your Chrome Web Browser Is Up-To-Date With Google’s Security Fixes

Newly reported attack campaigns employing the latest ClickFix methodology employ social engineering tactics and fake Google Meet conference pages in an attempt to bypass the protections built into the Google Chrome web browser. While the usual safeguards against any kind of social engineering attack, such as having two-factor authentication enabled on your accounts, remain the single best way to avoid getting caught in the phisher’s net, there’s also one other straightforward protection that you can take: ensure that you are using the latest version of the Google Chrome web browser or any of the different browsers that are powered by the same Chromium engine. Web browser vulnerabilities are employed by would-be attackers to exploit weaknesses that can provide them with the kind of access they require to further their nefarious actions. Closing off this route to potential compromise is simply common sense and simple to execute.

Google has just confirmed the latest security patches for desktop versions of the Chrome browser running on Linux, Mac and Windows, as well as the Android version for smartphone users. These fix 17 vulnerabilities in all, 13 of which were found dead and reported by security researchers external to Google itself. In the context of this article, it’s not essential to know precisely what these vulnerabilities are. What is necessary, however, is knowing how to ensure you are protected from the consequences of a threat actor exploiting an unpatched browser. Thankfully, this is an easy proposition as long as you follow all the required steps. Unless you complete the final one of closing down and restarting the browser, you will not be protected by the latest security fixes.

Head to the Help|About option in the menu. If the update is available, it will automatically start downloading.

Once the download is complete, Chrome will present you with a relaunch button. Save and/or close all open tabs and click the button.

Chrome will then restart and your browser will show the current, fully patched, version for your operating system platform.