Gmail security checklist

The tips and tools in this checklist can help prevent unauthorized access to your Gmail and secure your account if it was recently compromised.
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9


Congratulations! You've completed the Gmail security checklist. Remember to keep up with the security best practices you've just learned.

To learn more about security, visit the Google Online Security Blog.

Secure your password

Passwords are the first line of defense against account hijackers. If your account was recently compromised, you should change your password now.

Think of a strong password

  • Use unique passwords for your accounts, especially important accounts like email and online banking. Choosing the same password for each of your online accounts is like using the same key to lock your home, car and office – if a criminal gains access to one, all of them are compromised.
  • Use a long password. The longer your password is, the harder it is to guess.
  • Use a password with a mix of letters, numbers, and symbols.
  • Try using a phrase that only you know. For example, for your email you could start with “My friends Tom and Jasmine send me a funny email once a day” and then use numbers and letters to recreate it. “MfT&Jsmafe1ad” is a password with lots of variations.

Change your password

  1. Sign in to My Account.
  2. In the "Sign-in & security" section, select Signing in to Google.
  3. Choose Password.
  4. Enter your new password information, then select Change Password.
Do it now

Tips for keeping your password safe

  • Don’t send your password via email. Legitimate sites and services won’t ask you to send them your passwords via email.
  • Keep your password reminders in a secret place that isn’t easily visible. Don’t leave notes with your passwords in plain sight, on your computer or desk.

Learn more about creating strong passwords.

Update your account recovery options

Recovery options help secure your account from account hijackers and give you a way to access your account if you forget your password.

Mobile phone

A mobile phone is one of the easiest and quickest ways to help protect your account. It's more secure than your recovery email address because you usually have your phone with you. Giving a recovery phone number to Google won’t result in you being signed up for marketing lists or getting more calls from telemarketers.


Your recovery email address can be used to send you an email to reset your password if you get locked out, or challenge an account hijacker.

Update your account recovery options

  1. Go to and sign in.
  2. Click Update recovery options under “Password and recovery options.”
  3. Add or edit your security options for “Mobile phone” and “Email.”
Do it now

Get more information about adding recovery options to your account.

Check your account for unusual activity

Regularly review your account for unfamiliar or suspicious activity

On your Recent activity page, you can see security-related actions you’ve taken, like signing in to your Google Account, changing your password, or adding a recovery email address or phone number.

It's good practice to review these actions and take note of the time and location where they took place. If you notice anything suspicious -- for example, a sign-in from a browser you've never used, or a location you've never been to -- you should change your password to secure your account. Find out more about suspicious account activity.

Do it now

Check for missing or suspicious messages

If you are unable to find a large number of messages in your account, it may be a sign that your account was compromised. Find out how to find missing messages.

Additionally, if you notice unfamiliar messages sent from your account or are receiving unsolicited password recovery emails from other sites, your account may be compromised.

  • Check your sent mail by clicking Sent Mail on the left side of your Gmail. (If you don't see Sent Mail, click the More drop-down menu at the bottom of your label list.)
  • Check deleted messages by clicking Trash on the left side of your Gmail. (If you don't see Trash, click the More drop-down menu at the bottom of your label list.)

Check your contacts for errors

  1. Sign in to Gmail.
  2. Click Gmail at the top-left corner of your Gmail page and choose Contacts.
  3. If you don't see all of the contacts you expect to see, you can restore your contacts to an earlier time period.

Check your Gmail settings

Make sure your mail goes where you want it to.

  1. Sign in to Gmail.
  2. Click the gear icon in the upper right, then select Settings.
  3. Use the table below to check various settings.
Settings Tab Section Action
General Signature Check that there isn’t any unfamiliar content in the text box. If there is, remove it and click Save Changes at the bottom of the page.
  Vacation responder Check that there isn’t any unfamiliar content in the text box. If there is, remove it and click Save Changes at the bottom of the page.
Accounts Send mail as Verify that all email addresses listed belong to you.
  • If there is an unfamiliar or unnecessary address listed, click delete on the right side.
  • If there is an unwanted “Reply-to address” listed, click edit info and delete or change the “Reply-to address.” Save changes.
  Check mail from other accounts (using POP3) Make sure you recognize any addresses listed. Click delete to remove unwanted accounts.
  Grant access to your account Check to see if there are any email addresses listed. The owner of an account listed here can read and send mail on your behalf. Click delete to revoke an account’s access.
Filters   If there are any filters that say “Forward to,” check that the address listed is familiar and correct. Click edit or delete to the right of the filter to make changes.
    Look for filters that say “Delete it” and make sure the filter was set up by you. Click edit or delete to the right of the filter to make changes.
Forwarding and POP/IMAP Forwarding Confirm that your mail isn’t being forwarded to an unwanted address. If there is an unwanted forwarding address, choose Disable forwarding and then click Save Changes at the bottom of the page.
  POP Download Verify that your settings are correct. If POP is enabled but you don’t access your mail using POP, select Disable POP and then click Save Changes at the bottom of the page.
  IMAP Access Verify that your settings are correct. If IMAP is enabled but you don’t access your mail using IMAP, select Disable IMAP and then click Save Changes at the bottom of the page. (If you use an email client like Apple Mail, Thunderbird, or Outlook, you are likely using IMAP.)

Keep your device clean

If your computer is infected with malware, remove the malware as soon as you can

One way to clean your computer is to scan it with at least one, and ideally a few, high-quality antivirus products. We can’t vouch for their programs’ effectiveness, but trying the latest versions of any of them often makes a difference. Learn more about device security.

If your account was recently compromised, change your password again after removing malware from your computer.

Make sure your operating system is up to date

Operating systems release updates to repair security vulnerabilities. Whether you use Windows or Mac OS, we recommend protecting your computer by enabling your automatic update setting, and updating when you get a notification.

Don’t ignore regular software updates

Some software updates aren't included in your operating system updates, but they are just as important. Software such as Adobe Flash, Adobe Reader, and Java release regular updates that may include repairs for security vulnerabilities.

Update your browser

It’s important to always upgrade to the latest version of your web browser so that you get the latest security updates.

Find out if your browser is updated

  1. Go to and you’ll see what browser you are currently using.
  2. If you see “This is the most current version,” your browser is already updated!
  3. If you see “There is a newer version,” click the Update your browser button and download the newest version of your browser.
Do it now


Google’s Chrome browser automatically updates to the latest version every time you start it up, so you can get the most up-to-date security protection without any extra work.

Turn on 2-Step Verification

Most people only protect their accounts with their password. However, with 2-Step Verification, you’ll protect your account with your password and your phone. If a bad guy manages to steal or guess your password, he'll also need to have your phone to get into your account.

Signing in with 2-Step Verification works a little differently. You’ll enter your password as usual, then you’ll provide a verification code that you’ll get from your phone. You can make this process more simple for the computers or devices that you use often.


At the end of the setup process, be sure to set up backup options for times when your phone isn’t available (such as when you travel or if your battery runs out).

Learn more

Prevent identity theft and avoid scams

Don’t reply if you see a suspicious message or webpage asking for your personal or financial information

Always be wary of any messages or sites that ask for your personal information, or messages that refer you to an unfamiliar web page asking for any of the following details: usernames, passwords, Social Security numbers, bank account numbers, PINs, full credit card numbers, your mother’s maiden name, or your birthday.

Don’t reply or start filling out any forms or sign-in screens that might be linked to from those messages.

Report these messages as phishing

If you receive an email asking for personal information (phishing), you can report it Google.

  1. Sign in to Gmail.
  2. Open the message you'd like to report.
  3. Click the down arrow next to Reply Reply drop-down arrow in the top-right corner of the message pane.
  4. Select Report Phishing.

Be careful responding to strange messages from your contacts

If you see a message from someone you know that doesn’t seem like them, their account may have been compromised by an account hijacker who is trying to get money or information from you – so be careful how you respond.

Common tactics include asking you to urgently send them money, claiming to be stranded in another country or saying that their phone has been stolen so they cannot be called. The message may also tell you to click on a link to see a picture, article or video, which actually leads you to a site that might steal your information – so think before you click! Learn how you can prevent identity theft.

Avoid messages that pretend to be from Google

Unfortunately, unscrupulous people sometimes try to use the Google brand to scam and defraud others. Find out more about how to avoid and report scams that use the Google brand.

When in doubt, play it safe

If you have doubts about an ad or an offer, trust your gut! Only click on ads or buy products from sites that are safe, reviewed, and trusted. Learn more about avoiding scams.

Learn more about account security

Check the list of services that are authorized to access your Google Account data

Make sure that the list of authorized services are accurate and ones that you have chosen. If your Google Account has been compromised recently, it's possible that the bad guys could have authorized their own websites to access your account data. This may allow them to access your Google Account after you have changed your password.

In addition, if you have installed plug-ins or browser extensions that access your account, Google can't guarantee the security of these third party services. If those services are compromised, so is your Gmail password.

  1. Go to and sign in.
  2. Find the Account permissions section and click View all.
  3. Review the list of connected services.
  4. If you find an unwanted service, select the service and click Revoke access on the right.
Open Google security settings

Sign out after signing in to Google on a shared computer

When using public computers like in a library or cybercafe, remember that you may still be signed into any services you’ve been using even after you close the browser. So when using a public computer, be sure to sign out by clicking on your account photo or email address in the top right corner and selecting Sign out.

Lock your screen

You wouldn’t go out for the day and leave your front door wide open, right? The same principle applies to the devices you use. You should always lock your screen when you finish using your computer, laptop or phone. For added security, you should also set your device to automatically lock when it goes to sleep. Learn more about locking your screen.

Use secure networks

Be extra careful whenever you go online using a network you don’t know, and learn about setting up your home router and WiFi network securely. Learn more about secure networks.

Know your Google security and privacy tools

With Google, you have a variety of tools that can help keep you safe and keep your information private and secure. Check out some of our most popular tools that help make Google work better for you.