Make your password strong
Our recommendation regarding password security is to go passwordless using our authenticator Zoho OneAuth. However, if you want to keep using passwords, please follow the practices below:
- Avoid using personal information such as your birthday, mobile number, or pet name.
Avoid using only a single word or only common dictionary words.
- Avoid using sequences with repetitive or consecutive characters (like "12345," "000"), or commonly used sequences (like "qwerty").
- Don't make the password overly complex; make sure it is easily remembered.
- Don't reuse the same password on multiple services.
- Use a unique password for your Zoho account.Never share your account password with others.
Info: By default, Zoho enforces users to set a password with the following criteria:
- Should be at least 8 characters.
- Should not contain the user's email address.
- Should not be a breached password. When you enter a password, we will check if it is found in any previous breaches using Troy Hunt's breached password collection. If it was, we will prompt you to enter a different password.
Set up recovery options
Your Zoho account will contain important information such as your documents, emails, and so on. So, it is important that you always have access to your account. You can get locked out and lose access to your account for the following reasons:
- You forgot your password.
- Someone else accessed your account and changed your password.
- You have set up multi-factor authentication (MFA), but are unable to sign in due to some issue.
Setting up account recovery options will help you recover your access during these times.
Recovery email address/mobile number
A recovery email address or recovery mobile number will help you reset your account password if you get locked out. Make sure the email address or mobile number you add is:
- Personal only to you.
- Easily accessible.
- Working and able to receive emails/SMS.
To add a recovery email or number:
- Go to accounts.zoho.com.
- In the Profile tab, go to the Email Address or Mobile Number section.
- Click Add Email Address or Add Mobile Number.
- Enter your email address or mobile number, then click Next.
Enter the OTP you received, then click Verify.
After you add them, periodically check and update them. If someone else gets access to the email address or mobile number, they will be able to reset your password. At Zoho, we will also remind you to review the added recovery options periodically.
Backup verification codes
If you have enabled multi-factor authentication (MFA) for your account, it is important that you generate and save the backup verification codes for your account. These codes allow you to recover your account if you are unable to sign in using MFA.
If you are using Zoho OneAuth as your MFA mode, you need to set up a passphrase
. This passphrase will allow you to recover access to OneAuth if you ever lose it.
Be aware and careful of phishing attempts
Phishing is a method attackers employ to gain access to your personal information, your credentials, or to your account in general. An attacker will send phishing emails to a large number of recipients, hoping that some of the recipients will be deceived. The phishing email may cite a critical emergency and urge you to provide your personal information, or ask you to access a link to a malicious web page, or download a malicious attachment.
Even if you have secured your account with multi-factor authentication, the attacker can gain access to your account through these phishing web pages using sophisticated techniques. For example, using the "Adversary-in-the-middle" method, the attacker can steal the session cookies from your browser and gain access to your account bypassing MFA.
How to identify a phishing email
- Note the clarity of the email content. Check if the content is ambiguous and doesn't make sense. The content of the email will also generate a sense of danger and urgency.
- Check if the sender's email address is suspicious. Typically, the attacker will use a domain that is slightly different from the actual domain they are posing as. So, look out for spelling mistakes. For example, zohocrop.com instead of zohocorp.com. They may also use the name of the company in the first part of the address, such as, email@example.com.
- Check the URLs of the links and buttons present in the email. The text of the URL may seem normal, but it might be linked to a different URL. For example, the text may read "Renew Payment" or "Confirm Account"; but they are, instead, linked to a malicious URL. Make sure you hover over the link and check the URL before clicking on it. Check for spelling mistakes and suspicious domain names in the URLs, too.
What to do if you suspect an email to be a phishing email
- Never reply to this type of email with your passwords or other personal information. Zoho never asks for your password via emails.
- Think before clicking the links in the email.
- If you open a link, never enter your credentials on the web page or give out any personal information.
- Think if the action you are prompted to do in the first place requires entering your credentials.
- Don't download any files attached to the email.
- If you are part of an organization, contact your IT department. If you are an individual user or if your organization doesn't have an IT team, mark the sender as spam.
- For any assistance, contact our support team at firstname.lastname@example.org.
What to do if you get affected
If you think you were affected by a phishing attempt, secure your account immediately using the following steps:
- Change your account password. Make sure you set a unique password that isn't used on any other website or app.
- Enable multi-factor authentication (MFA) if you haven't already. We recommend you secure your account using Zoho OneAuth–our own authenticator app.
- Review your account access. If there is any malicious activity in your account, you will be able to identify it.
- If you need any further assistance, contact our support team at email@example.com.
Identify suspicious sign-ins via email alerts
If your account is compromised and someone else is able to access it, you can find out and secure your account if you have enabled the following alerts for your Zoho account:
- New sign-in to account alert
Receive email alerts whenever your account is signed in from a new device, browser, or location.
- Third-party app access alert
Receive email alerts whenever your account is accessed from a new third-party app or location. Example: IMAP/POP clients such as mail apps and calendar apps.
To enable these alerts:
- Go to accounts.zoho.com.
- Click Settings in the left menu.
- In the Preferences section, under Email notifications, enable the required alerts.
Use app-passwords for third-party apps
For third-party IMAP/POP clients, such as mail apps and calendar apps, generate and use unique app-specific passwords instead of your Zoho account password. This way, even if the client app gets compromised, your Zoho account will remain secure. These passwords can also be revoked anytime; and once revoked, the client apps will no longer be able to fetch information from your account.
Enable multi-factor authentication
Using a password alone doesn't provide much security to your account even if you have set up a strong password. With the latest sophisticated techniques attackers use, passwords are always at risk of getting found out. Hence, we strongly suggest enabling multi-factor authentication (MFA) for your account. MFA adds an extra layer of security to your account. Once you enable MFA, all your future sign-ins will require you to verify using the set MFA mode after you enter your password.
Secure account using IP restriction
Via IP restriction, you can allow your account to be accessed only from certain IP addresses. Once a set of allowed IP addresses are added, sign-in attempts from other IP addresses will be blocked. This way, an attacker who operates in a different location will have no means to access your account.
Review account access
In your Zoho Accounts page (accounts.zoho.com), you can review the devices and apps you've signed-in to, the apps that have permission to access your account, and much more. By reviewing these details, you can find out if any unwanted app or device is accessing your account.
The details you can view on your Zoho Accounts page are listed below:
The devices your account is signed-in to, along with the location of where your account was signed-in, and how long ago.
The browsers you have trusted to skip MFA during sign-in.
The third-party accounts (such as Google or Facebook) that are linked with your Zoho account.
The websites you have granted permission to access and fetch information from your account.
The sessions your account currently has active. This will also have the details of when each session started, the IP address, and the approximate location.
The apps you have been accessing recently. This will have details such as the accessed IP address, OS, device, and browser.
The web apps you have granted permission to access and fetch information from your account.
The mobile and desktop applications your Zoho account is signed-in with.