Check Point Email Security | Blog

We Need to Talk About Gmail

Written by Jeremy Fuchs | January 27, 2022

Do you use Gmail? If you're a small business or tech company, you probably do. In fact, a whopping 92% of startups use Gmail; 60% of mid-sized businesses use it as well. More than 5 million businesses use Gmail.

Despite that, a lot of the security conversation is centered around Microsoft. That's certainly valid, but it's time we start talking about Gmail. 

This came to a head a few weeks ago, when we published an attack brief about the Google Docs comment exploit. The attack occurs when a threat actor adds a comment to a Google Doc (or any part of the Google Workspace). The target is mentioned with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators. 

We know, based on our research, that Google is about middle of the road when it comes to preventing phishing emails from reaching the inbox:

Despite it faring better than other solutions, that's still plenty of attacks. Using our Threat Miss Calculator, consider a 500-seat organization, where the average user sees about 20 emails a day. This is the results:

That's nearly three missed attacks per user, per month.

Or take an organization with 6,500 employees:

 

You can see the issue.

That's why we're coming out with a webinar next month about the attacks that Gmail is missing.

We'll go over some attacks that Gmail missed--which run the gamut from credential harvesting to ransomware--discuss how the entire G-Suite is weaponized, and how to stop the attacks that Gmail and others miss.

If you have Gmail, this is a must-watch webinar. It's all happening on February 24th at 11:00 am ET. RSVP below.