In Gmail, less than 1% of spam emails make it into an inbox, Google said. Thanks to the success of spam filters in screening out junk mail, spammers in recent years have morphed into account thieves, breaking into websites to steal databases of usernames and passwords in order to send “legitimate” mails that evade filters by appearing to come from trusted correspondents. Often, the criminals put the databases up for sale on the black market.
To thwart the tactic, Google has implemented some layered security safeguards, according to Mike Hearn, Google security engineer.
“Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you,” he explained. “In fact, there are more than 120 variables that can factor into how a decision is made.”
If a sign-in is deemed suspicious or risky for some reason – such as your latest sign in comming from a country oceans away – Google asks basic questions about the account. “For example, we may ask for the phone number associated with your account, or for the answer to your security question,” he said. “These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7% since the peak of these hijacking attempts in 2011.”
The danger doesn’t stop at the compromised account. Because many people re-use the same password across different accounts, stolen passwords from one site are often valid on others. Attackers will thus attempt to break into accounts across the web and across many different services.
“We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time,” Hearn said. “A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct.”
Hearn also noted that users must do their part, no matter how much Google works to keep spammers and hijackers at bay. “You can help protect your account by making sure you’re using a strong, unique password for your Google Account, upgrading your account to use two-step verification, and updating the recovery options on your account such as your secondary email address and your phone number,” Hearn said. “Following these three steps can help prevent your account from being hijacked – this means less spam for your friends and contacts, and improved security and privacy for you.”