Skip to content

How Did Google Stop Phishing Attacks on Employees?

Google and Yubikey

The notion of being able to stop phishing attacks on companies seems like fiction If you’re keeping score, it seems that scammers are way ahead of business.

So, it’s no surprise to hear that a handful of years ago, scammers were relentless in their attack of Google, one of the biggest and most significant companies in the technical industry. More specifically, the scammers were targeting Google employees.

Their attack of choice was phishing. Phishing is a ploy by con artists to trick targets into divulging their email addresses and passwords, and company information. When a target takes the bait, so to speak, the scammer has the log-in credentials needed to get access and continue to do more damage. They can even gain access to a network to steal data or money.

How does phishing work?  Typically, it comes in as a work email from a company administrator telling you to update your password—but it’s actually from a con artist.

Imagine the wealth of information that Google has in its network databases. It’s for that reason Google is such a juicy target for scammers.

Google couldn’t stop phishing attacks and isn’t exempt from hacking.

But you’re thinking, Google is a smart organization and would make sure to warn employees about wolves in sheep clothing, trying to trick employees.

And you’re right. They had sent important messages plenty of times to employees warning them about emails, calls or texts that seemed to come from Google, but were actually sent by scammers. But those warnings are quickly forgotten.

Not only that, but con artists are also quite good at what they do and come up with effective approaches that persuade employees that providing their passwords is very important.

But surely, you’d assume that the bright people who work at Google are too smart to let themselves be scammed, right?

Wrong. And it has nothing to do with intelligence. Even the brightest can fall victim. So, Google was experiencing ongoing troubles with employees being fooled, tricked, duped and hacked by scammers. Scammer’s were getting employees to somehow provide their login credentials, or at least the part the scammer needed.

Google’s Answer to Stop Attacks: Two-Factor Authentication…a Special Brand of It.

Google had tried to help its employees fight back against hackers by implementing a security process called two-factor authentication. In short, that simply means they added a second step to the login process for their employees. Think of it like this:

  • Typically, you log into any account with your username and your password (hopefully a strong, unique password.
  • Think of your log-in credentials as one method—or one factor—

needed for accessing your account.

As it turns out, often that “one way” simply isn’t good enough.

Because as you’ve heard many times before, hackers or scammers, through various means, often obtain consumer or employee credentials and login into those accounts. They steal them or guess them, and then log-in to our accounts.  

Having just one way, one factor, for accessing an account, could leave you open for trouble.

Enter the Second Factor.

So, security experts came up with a solution for websites and companies. They decided your basic credentials (username and password) alone wouldn’t be enough. They devised a way to require a second factor, to gain access to an account, after you enter your name and password.

Let’s talk about two-factor authentication and learn how it works.


After you start to log-in to a website on which two-factor authentication (2FA) has been set, you simple take an extra step.

That second step (factor) is typically a one-time password (a code of  5-6 numbers) you receive via smart phone instantly via text message, or an app. The code you get is the second factor that helps complete the log-in process.

That process works very well nearly all the time, and it does keep hackers out. Google used 2FA approach and and sent employees use one-time codes that were sent to employee phones.

End of story? Not quite. Here’s why.

Return of the Scammers.

As it turns out, using two-factor authentication with one-time codes sent as texts is not totally hacker proof, because, well hackers and scammers, never give up.  

And, sure enough, the crafty crooks and tricksters devised ways to fool Google employees into giving away the second factor, or the scammers somehow hijacked the entire login process.

So, despite requiring two-factor authentication for all employees, the scammers still managed to have success.

Enough! Time to stop phishing attacks!

Google–determined to find a way to put an end to their phishing on employees’ email accounts—found a way to do it.

In 2017, Google made a move that would bring successful employee phishing to a halt.

In 2017, Google made a move that would bring successful employee phishing to a halt. What they did was take two-factor authentication to the next level, and with that move, they eliminated false logins to employee accounts.

Google found the key to stopping scammers in their tracks.


Google Stopped the Scammers Cold with Security Keys.

It was in early 2017 when Google made a move that stopped phishing attempts cold. They were understandably upset to know that their internal processes and the phone-text-based two-factor authentication hadn’t yet worked.

That’s when they handed out 85,000 security keys—the actual brand was Yubikey—to their employees and required every employees to use their security key every time they logged into their email or Google accounts.

A security key is a physical product, along the likes of a thumb-drive, just not as big, the is perhaps the strongest from of 2FA. The key plugs right into your device—whether you use a computer, smartphone or tablet. There are keys for each type of plug-in.

The small, “electronic” security key became an essential and required part of Google process for employee’s logging into their work accounts. Unless a scammer acquired an employee’s physical security key, there was no way they could log in to that employees work accounts or email.

And immediately after that, Google did not have any of its more than 85,000 employees successfully “phished” at work. From that point on, Google says, security keys are at the heart of all account access for any Google employee.

A Google representative explained the impact of the changes:  

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

For information on the different forms of two factor authentication, including security keys, read our recently revised article on the topic.

Related Articles

  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking
  • Online Privacy
  • Online Safety
  • Uncategorized
scam texts

ALERT: Scam Texts, the Latest Dirty Trick!

You need to be up to speed on "smishing," the text message trick scammers use to capture...

[Read More]
Zelle payment scams

It’s not a Zelle Scam, Just Scammers Who Want You to Use Zelle

Beware of any calls you get to talk about Zelle and fraud, even it's from your "bank."...

[Read More]
Roy Zur talks about human factor cybersecurity and why it's essential for business.

Human Factor Cybersecurity: A New Approach for Business

Cybersecurity isn’t just for cybersecurity professionals or people who understand code. Employees at any level can let…

[Read More]
Cameron Huddleston talks about how to protect elderly parents' finances.

Protect Elderly Parents’ Finances from Scams and Exploitation

As you watch your parents get older, it’s easy to begin to worry about them falling for…

[Read More]
Jack Whittaker goes behind the scenes of scam sites.

Scam Sites and the Scam Economy

When you find a scam website – or worse, fall for a scam – you’re not thinking…

[Read More]
It's important to be aware of student loan forgiveness scams!

Student Loan Forgiveness Scams: Red Flags to Watch Out For

On August 24, President Biden announced a three-part plan to help middle- and working-class people with student…

[Read More]