Google says it stops 100 million email phishing attempts every day. You know, those emails that say there's a problem with your bank account, click here to fix it? When you do, you're sent to a hacker-built website that looks remarkably similar to your bank's, but you really just gave away your account information. Or someone manages to log in to your Gmail account, and you have no idea until they change the password and you can't get in.

That's a problem because there's a reasonable chance that your business is using at least some of Google's services. Since a Google Account often contains personal and business emails and documents, and even data about what happens in your home, you can imagine that attackers find them to be an attractive target. That's especially true when the account belongs to a business leader, politician, journalist, or activist, which is why Google is updating its Advanced Protection Program

That program provides additional security to Google Accounts for individuals at higher risk of cyberattacks, and requires the use of a physical security key in addition to a traditional user name and password to access an account. Until now, you had to use an actual dongle that you inserted into a USB port, or you had to have an Android device. 

Today, however, Google is extending that to include iPhones as well.

According to Google, you can activate a security key on your iPhone by using Google's Smart Lock app. This uses Bluetooth to verify your sign-in on Chrome OS, iOS, macOS, and Windows 10 devices without requiring you to pair your devices. Doing so eliminates the ability for anyone to sign in to your account without the security key, preventing phishing attempts. 

Google's blog post announcing the change includes the following steps to set up your smartphone as a security key:

  • Activate your phone's security key (Android 7+ or iOS 10+)
  • Enroll in the Advanced Protection Program
  • When signing in to your Google Account, make sure Bluetooth is turned on on your phone and the device you're signing in on

It's worth asking whether you should consider using the Advanced Protection Program. For example, I set it up on my Gmail account, and it can certainly make life more complicated. For one, it means that many of the third-party apps you use on a regular basis will no longer be able to access your Google Account. It also means that you won't be able to log into your account if you lose your phone. 

Still, if you think you're at a heightened risk of phishing and you want to make sure you and your business are protected, it's worth looking at whether another layer of security will protect your accounts. For example, Google says it partnered with the Harris Poll to survey 500 high-risk users. Seventy-four percent of them said they had been targeted or compromised by a phishing attack.

The process for recovering your account in that situation is complex, since the whole idea is to make sure that only you can access your information. Then again, the process of recovering your account after an attacker gets ahold of it by stealing your password isn't all that pretty either.

Published on: Jan 15, 2020
The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.