Let’s be honest: your Gmail inbox is the keys to your kingdom. Think about it. It’s where your bank statements go, where your “forgot password” reset links land, and where your most sensitive business conversations live. For most business owners, if your Gmail is compromised, your whole world comes to a grinding halt.
The scary part? Most of us are leaving the front door wide open without even realizing it. We think “it won’t happen to me” until we see a login notification from a city we’ve never visited.
The good news is that securing your account doesn’t require a degree in computer science. You can fix the seven most common (and dangerous) mistakes in about ten minutes. Let’s dive into how to lock down your Google Workspace and keep the bad guys out.
1. You Aren’t Using 2nd-Step Verification (or You’re Using the Weak Kind)
If you only have a password protecting your account, you’re basically relying on a screen door to stop a sledgehammer. Passwords get leaked in data breaches every single day.
The mistake isn’t just “not having” 2-Step Verification (2SV); it’s using SMS-based codes. Hackers can perform “SIM swapping” to intercept those text messages.
The 2-Minute Fix:
Head over to your Google Account settings and enable 2-Step Verification. Instead of SMS, choose the Google Prompt (where you just tap “Yes” on your phone) or, even better, use an authenticator app. If you really want to go pro, get a physical security key like a YubiKey. It’s virtually un-hackable because a hacker would physically need that piece of plastic in their hand to get in.
2. The “One Password to Rule Them All” Habit
We’ve all done it. You have one “strong” password that you’ve used for your Gmail, your favorite online shoe store, and that random forum you joined in 2014.
Here’s the problem: when that random forum gets hacked (and it will), hackers take your email and that password and try it on Gmail. It’s called “credential stuffing,” and it works like a charm.
The 2-Minute Fix:
Change your Gmail password to something unique. Don’t try to memorize it, use a password manager. If you’re a business owner, this is a non-negotiable. Using a password manager allows you to have 20-character random strings for every site without ever having to remember one. If you’re feeling overwhelmed by the technical setup, our managed IT services can help get your team on the right track.
3. Trusting the “From” Name Without Verifying
Phishing has evolved. Gone are the days of obvious typos and “Princes” asking for wire transfers. Modern attackers use “display name spoofing.” Your phone might show an email from “Mathew Hoffman,” but if you actually look at the email address behind the name, it’s some random string of gibberish.
Attackers rely on the fact that we’re all busy. We see a name we trust, we see an attachment labeled “Invoice,” and we click.
The 1-Minute Fix:
Hover your mouse over the sender’s name before you click anything. If the email address doesn’t match the person’s official domain, delete it. If you’re ever in doubt, reach out to the person via a different channel, like a quick text or a phone call, to ask if they actually sent you a file. Better safe than sorry!
4. Leaving Legacy Protocols (POP and IMAP) Enabled
Back in the day, we needed POP and IMAP to get our emails into apps like Outlook or Apple Mail. Today, these protocols are a massive security hole. Why? Because many older versions of these protocols don’t support modern 2-Step Verification.
If a hacker finds your password, they might be able to bypass your 2SV by logging in through a legacy IMAP connection. It’s like locking the front door but leaving the crawlspace wide open.
The 1-Minute Fix:
Unless you have a very specific, old-school reason to use them, go into your Gmail settings (the gear icon -> See all settings -> Forwarding and POP/IMAP) and disable both. Most modern apps use “OAuth,” which is way more secure and doesn’t need these legacy toggles turned on.
5. Over-Granting Third-Party App Permissions
Have you ever used your Google account to sign up for a cool new productivity tool or a “Which 80s Rock Star Are You?” quiz? When you clicked “Allow,” you might have given that app permission to read, send, or even delete your emails.
The mistake is forgetting to revoke that access once you stop using the app. If that third-party company gets breached, the hackers might have a direct pipeline into your Gmail.
The 2-Minute Fix:
Go to your Google Account “Security” tab and look for “Your connections to third-party apps and services.” Go through the list and click “Remove Access” for anything you don’t recognize or haven’t used in the last three months. It’s an easy way to clean up your digital footprint.
6. Ignoring the “Blue Checkmark” and BIMI
Google recently introduced a “blue checkmark” for verified brands. This is part of a system called BIMI (Brand Indicators for Message Identification). It helps you know that an email from, say, your bank or a major tech company is actually from them.
The mistake? Not looking for it: or worse, assuming every email with a logo is safe. While the blue checkmark is a great tool, attackers are already trying to find ways to mimic the look.
The 1-Minute Fix:
Start paying attention to those checkmarks. If you get an “official” email from a major brand that doesn’t have its verified logo and checkmark, treat it with extreme suspicion. If you want to make sure your own business emails look professional and verified, we can help with a Google Workspace health and security checkup.
7. Skipping the “Account Recovery” Audit
What happens if you actually do lose access to your account? If your recovery phone number is an old mobile you haven’t used in five years, or your recovery email is a defunct Yahoo account, you are in big trouble. Google’s recovery process is intentionally strict to keep hackers out, which means it can also keep you out if your info is outdated.
The 2-Minute Fix:
Check your recovery information right now. Ensure your current mobile number is listed and that you have a secondary, secure email address (perhaps a spouse’s or a trusted partner’s) set as the recovery contact. This is your safety net.
Why This Matters for Your Business
Security isn’t a “set and forget” thing. It’s a habit. If you’re running a business, a single compromised account can lead to data theft, fraudulent wire transfers, or a total loss of client trust.
Taking ten minutes today to run through these fixes isn’t just about tech; it’s about protecting the business you’ve worked so hard to build. If you feel like your team needs more than just a quick fix, we offer specialized training to help everyone stay sharp and secure.
Don’t wait for a “suspicious login” alert to start caring about your inbox. Take the ten minutes, do the audit, and sleep a little sounder tonight. If you’re not sure where to start, feel free to reach out to us: we’re here to help keep your cloud environment safe and sound.
About Mathew
Mathew Hoffman is the Owner of Cloud Computer Company. He started his career in IT back in 1981 and has since held senior roles at the State Bank of NSW, Minet, Wilhelmsen Lines, and Rothmans of Pall Mall. A career highlight for Mathew was his work during the Sydney 2000 Olympics. Since 2001, he has provided IT consultancy to small and medium businesses. Mathew was one of the original Google Partners in 2008 and rebranded the business to Cloud Computer Company in 2017. Now based in Noosa, Mathew is an avid cricket fan: having played and coached in both Sydney and the Sunshine Coast. When he isn’t securing cloud environments, you’ll find him spending time with his family, hitting the beach, or playing a round of golf.
