Best practices for keeping your Zoho account secure
Make your password strong
Our recommendation regarding password security is to go passwordless using our authenticator Zoho OneAuth. However, if you want to keep using passwords, please follow the practices below:
- Avoid using personal information such as your birthday, mobile number, or pet name.
Avoid using only a single word or only common dictionary words. - Avoid using sequences with repetitive or consecutive characters (like "12345," "000"), or commonly used sequences (like "qwerty").
- Don't make the password overly complex; make sure it is easily remembered.
- Don't reuse the same password on multiple services.
- Use a unique password for your Zoho account.Never share your account password with others.
Info: By default, Zoho enforces users to set a password with the following criteria:
- Should be at least 8 characters.
- Should not contain the user's email address.
- Should not be a breached password. When you enter a password, we will check if it is found in any previous breaches using Troy Hunt's breached password collection. If it was, we will prompt you to enter a different password.
Set up recovery options
Your Zoho account will contain important information such as your documents, emails, and so on. So, it is important that you always have access to your account. You can get locked out and lose access to your account for the following reasons:
- You forgot your password.
- Someone else accessed your account and changed your password.
- You have set up multi-factor authentication (MFA), but are unable to sign in due to some issue.
Setting up account recovery options will help you recover your access during these times.
Recovery email address/mobile number
A recovery email address or recovery mobile number will help you reset your account password if you get locked out. Make sure the email address or mobile number you add is:
- Personal only to you.
- Easily accessible.
- Working and able to receive emails/SMS.
To add a recovery email or number:
- Go to accounts.zoho.com.
- In the Profile tab, go to the Email Address or Mobile Number section.
- Click Add Email Address or Add Mobile Number.
- Enter your email address or mobile number, then click Next.
Enter the OTP you received, then click Verify.
After you add them, periodically check and update them. If someone else gets access to the email address or mobile number, they will be able to reset your password. At Zoho, we will also remind you to review the added recovery options periodically.
Backup verification codes
If you have enabled multi-factor authentication (MFA) for your account, it is important that you generate and save the backup verification codes for your account. These codes allow you to recover your account if you are unable to sign in using MFA.
If you are using Zoho OneAuth as your MFA mode, you need to set up a passphrase. This passphrase will allow you to recover access to OneAuth if you ever lose it.
Be aware and careful of phishing attempts
Phishing is a method attackers employ to gain access to your personal information, your credentials, or to your account in general. An attacker will send phishing emails to a large number of recipients, hoping that some of the recipients will be deceived. The phishing email may cite a critical emergency and urge you to provide your personal information, or ask you to access a link to a malicious web page, or download a malicious attachment.
Even if you have secured your account with multi-factor authentication, the attacker can gain access to your account through these phishing web pages using sophisticated techniques. For example, using the "Adversary-in-the-middle" method, the attacker can steal the session cookies from your browser and gain access to your account bypassing MFA.
How to identify a phishing email
- Note the clarity of the email content. Check if the content is ambiguous and doesn't make sense. The content of the email will also generate a sense of danger and urgency.
- Check if the sender's email address is suspicious. Typically, the attacker will use a domain that is slightly different from the actual domain they are posing as. So, look out for spelling mistakes. For example, zohocrop.com instead of zohocorp.com. They may also use the name of the company in the first part of the address, such as, zohosupport@abc.com.
- Check the URLs of the links and buttons present in the email. The text of the URL may seem normal, but it might be linked to a different URL. For example, the text may read "Renew Payment" or "Confirm Account"; but they are, instead, linked to a malicious URL. Make sure you hover over the link and check the URL before clicking on it. Check for spelling mistakes and suspicious domain names in the URLs, too.
What to do if you suspect an email to be a phishing email
- Never reply to this type of email with your passwords or other personal information. Zoho never asks for your password via emails.
- Think before clicking the links in the email.
- If you open a link, never enter your credentials on the web page or give out any personal information.
- Think if the action you are prompted to do in the first place requires entering your credentials.
- Don't download any files attached to the email.
- If you are part of an organization, contact your IT department. If you are an individual user or if your organization doesn't have an IT team, mark the sender as spam.
- For any assistance, contact our support team at support@zohoaccounts.com.
What to do if you get affected
If you think you were affected by a phishing attempt, secure your account immediately using the following steps:
- Change your account password. Make sure you set a unique password that isn't used on any other website or app.
- Enable multi-factor authentication (MFA) if you haven't already. We recommend you secure your account using Zoho OneAuth–our own authenticator app.
- Review your account access. If there is any malicious activity in your account, you will be able to identify it.
- If you need any further assistance, contact our support team at support@zohoaccounts.com.
Identify suspicious sign-ins via email alerts
If your account is compromised and someone else is able to access it, you can find out and secure your account if you have enabled the following alerts for your Zoho account:
- New sign-in to account alert
Receive email alerts whenever your account is signed in from a new device, browser, or location. - Third-party app access alert
Receive email alerts whenever your account is accessed from a new third-party app or location. Example: IMAP/POP clients such as mail apps and calendar apps.
To enable these alerts:
- Go to accounts.zoho.com.
- Click Settings in the left menu.
- In the Preferences section, under Email notifications, enable the required alerts.
Use app-passwords for third-party apps
For third-party IMAP/POP clients, such as mail apps and calendar apps, generate and use unique app-specific passwords instead of your Zoho account password. This way, even if the client app gets compromised, your Zoho account will remain secure. These passwords can also be revoked anytime; and once revoked, the client apps will no longer be able to fetch information from your account.
Enable multi-factor authentication
Using a password alone doesn't provide much security to your account even if you have set up a strong password. With the latest sophisticated techniques attackers use, passwords are always at risk of getting found out. Hence, we strongly suggest enabling multi-factor authentication (MFA) for your account. MFA adds an extra layer of security to your account. Once you enable MFA, all your future sign-ins will require you to verify using the set MFA mode after you enter your password.
Secure account using IP restriction
Via IP restriction, you can allow your account to be accessed only from certain IP addresses. Once a set of allowed IP addresses are added, sign-in attempts from other IP addresses will be blocked. This way, an attacker who operates in a different location will have no means to access your account.
Review account access
In your Zoho Accounts page (accounts.zoho.com), you can review the devices and apps you've signed-in to, the apps that have permission to access your account, and much more. By reviewing these details, you can find out if any unwanted app or device is accessing your account.
The details you can view on your Zoho Accounts page are listed below:
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
Still can't find what you're looking for?
Write to us: support@zohoforms.com
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
Zoho SalesIQ Resources
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Zoho DataPrep Resources
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Bigin?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
Related Articles
Security
In addition to securing your Zoho account via passwords and multi-factor authentication, there is a slew of measures you can follow to ramp up your account security. Allowed IP address The Allowed IP address is an IP address or a range of IP ...Close your Zoho account
Closing your Zoho account will result in of all of your data being permanently deleted. If you're a personal user: Sign in to your Zoho account at accounts.zoho.com. Click Settings in the left menu, then scroll down to the Close Account section. ...Can I access my Zoho account again after closing it?
No. As per our security policy, closed accounts cannot be restored. However, you can always create a new account by visiting our website.Why and when account validation is done?
What is the purpose of validation? The purpose of validation is to secure your account from unauthorized activity, and to help us assist you in effectively resolving your issue.We collect information related to your Zoho account, such as ...How do I close my Zoho account?
Closing your Zoho account will result in of all of your data being permanently deleted. If you're a personal user: Sign in to your Zoho account at accounts.zoho.com. Click Settings in the left menu, then scroll down to the Close Account section. ...