Most email users are now well versed in recognising scams that bombard inboxes daily. Google has become so adept at identifying rogue messages that the majority are filtered out before they ever reach customers’ accounts. However, it seems complacency is not an option at present. Hackers have recently executed a cyber attack that bypasses Google’s multi-factor authentication. This means cyber criminals could gain complete access to accounts without the owner being aware of any issue. The new attack was detected by security researchers at Google Threat Intelligence Group, who confirmed targeted attacks have already occurred. Google accounts are typically very secure, with users required to use multiple methods to access services such as Gmail. These often include two-factor authentication, which sends a message to a second device before login is permitted, reports the Express . However, it appears Russian cyber criminals have discovered a way to target older phones and other devices that can’t accommodate this additional verification step. Google provides something known as app passwords, which are unique 16-digit codes designed to protect less modern devices. However, because app passwords bypass the second verification step, hackers can steal or phish them more easily. According to Malwarebytes, the criminals used this method to target notable academics and critics of Russia. “The attackers initially made contact by posing as a State Department representative, inviting the target to a consultation in the setting of a private online conversation,” explained Malwarebytes. “While the target believes they are creating and sharing an app password to access a State Department platform in a secure way, they are actually giving the attacker full access to their Google account.” Despite this being a highly targeted attack, it doesn’t mean the general public might not be next. “Now that this bypass is known, we can expect more social engineering attacks leveraging app-specific passwords in the future,” warned Malwarebytes. If you’re worried about this new attack, security experts at Malwarebytes have offered advice on how to stay safe. • Only use app passwords when absolutely necessary. If you have the opportunity to change to apps and devices that support more secure sign-in methods, make that switch. • The advice to enable MFA still stands strong, but not all MFA is created equal. Authenticator apps (like Google Authenticator) or hardware security keys (FIDO2/WebAuthn) are more resistant to attacks than SMS-based codes, let alone app passwords. • Regularly educate yourself and others about recognising phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords through phishing . • Monitor for unusual login attempts or suspicious behaviour, such as logins from unfamiliar locations or devices. Where possible, limit these logins. • Regularly update your operating system and the apps you use to patch vulnerabilities that attackers might exploit. Enable automatic updates whenever possible so you don’t have to remember yourself. • Utilise security software that can block malicious domains and recognise scams.