Safer Internet Day is a great time to do it, but you can—and should!—take a Security Checkup on a regular basis. Start your Security Checkup by visiting My Account.

2. Informing Gmail users about potentially unsafe messages

If you and your Grandpa both use Gmail to exchange messages, your connections are encrypted and authenticated. That means no peering eyes can read those emails as they zoom across the web, and you can be confident that the message from your Grandpa in size 48 font (with no punctuation and a few misspellings) is really from him!

However, as our Safer Email Transparency Report explains, these things are not always true when Gmail interacts with other mail services. Today, we’re introducing changes in Gmail on the web to let people know when a received message was not encrypted, if you’re composing a message to a recipient whose email service doesn’t support TLS encryption, or when the sender’s domain couldn’t be authenticated.

Here’s the notice you’ll see in Gmail before you send a message to a service that doesn’t support TLS encryption. You’ll also see the broken lock icon if you receive a message that was sent without TLS encryption.
If you receive a message that can’t be authenticated, you’ll see a question mark where you might otherwise see a profile photo or logo:


3. Protecting you from bad apps

Dangerous apps that phish and steal your personal information, or hold your phone hostage and make you pay to unlock it, have no place on your smartphone—or any device, for that matter.

Google Play helps protect your Android device by rejecting bad apps that don’t comply with our Play policies. It also conducts more than 200 million daily security scans of devices, in tandem with our Safe Browsing system, for any signs of trouble. Last year, bad apps were installed on fewer than 0.13% of Android devices that install apps only from Google Play.

Learn more about these, and other Android security features — like app sandboxing, monthly security updates for Nexus and other devices, and our Security Rewards Program—in new research we’ve made public on our Android blog.

4. Busting bad advertising practices

Malicious advertising “botnets” try to send phony visitors to websites to make money from online ads. Botnets threaten the businesses of honest advertisers and publishers, and because they’re often made up of devices infected with malware, they put users in harm’s way too.

We've worked to keep botnets out of our ads systems, cutting them out of advertising revenue, and making it harder to make money from distributing malware and Unwanted Software. Now, as part of our effort to fight bad ads online, we’re reinforcing our existing botnet defenses by automatically filtering traffic from three of the top ad fraud botnets, comprising more than 500,000 infected user machines. Learn more about this update on the Doubleclick blog.

5. Moving the security conversation forward

Recent events—Edward Snowden’s disclosures, the Sony Hack, the current conversation around encryption, and more—have made online safety a truly mainstream issue. This is reflected both in news headlines, and popular culture: “Mr. Robot,” a TV series about hacking and cybersecurity, just won a Golden Globe for Best Drama, and @SwiftOnSecurity, a popular security commentator, is named after Taylor Swift.

But despite this shift, security remains a complex topic that lends itself to lively debates between experts...that are often unintelligible to just about everyone else. We need to simplify the way we talk about online security to enable everyone to understand its importance and participate in this conversation.

To that end, we’re teaming up with Medium to host a virtual roundtable about online security, present and future. Moderated by journalist and security researcher Kevin Poulsen, this project aims to present fresh perspectives about online security in a time when our attention is increasingly ruled by the devices we carry with us constantly. We hope you’ll tune in and check it out.

Online security and safety are being discussed more often, and with more urgency, than ever before. We hope you’ll take a few minutes today to learn how Google protects your data and how we can work toward a safer web, for everyone.

Consistent with the social engineering policy we announced in November, embedded content (like ads) on a web page will be considered social engineering when they either:

  • Pretend to act, or look and feel, like a trusted entity — like your own device or browser, or the website itself. 
  • Try to trick you into doing something you’d only do for a trusted entity — like sharing a password or calling tech support.

Below are some examples of deceptive content, shown via ads:
This image claims that your software is out-of-date to trick you into clicking “update”. 

This image mimics a dialogue from the FLV software developer -- but it does not actually originate from this developer.

These buttons seem like they will produce content that relate to the site (like a TV show or sports video stream) by mimicking the site’s look and feel. They are often not distinguishable from the rest of the page.

Our fight against unwanted software and social engineering is still just beginning. We'll continue to improve Google's Safe Browsing protection to help more people stay safe online.

Will my site be affected?

If visitors to your web site consistently see social engineering content, Google Safe Browsing may warn users when they visit the site. If your site is flagged for containing social engineering content, you should troubleshoot with Search Console. Check out our social engineering help for webmasters.