Make your password strong

1. Avoid using personal information such as your birthday, mobile number, or pet name.
   
2. Avoid using only a single word or only common dictionary words.
   
3. Avoid using sequences with repetitive or consecutive characters (like "12345," "000"), or commonly used sequences (like "qwerty").
   
4. Don't make the password overly complex; make sure it is easily remembered.
   
5. Don't reuse the same password on multiple services. Use a unique password for your Zoho account.
   
6. Do not write your passwords on paper or in notepads. We recommend using a password manager like Zoho Vault for secure storage.
   
7. Never share your Zoho account password. If you need to share your account password, such as for test accounts, use Zoho Vault for secure sharing. 
   Learn more about sharing passwords with: organization users | third-parties

Info: By default, Zoho enforces users to set a password with the following criteria:

1. Should be at least 8 characters.
   
2. Should not contain parts of the user's email address, first name, or last name.
   
3. Should not contain consequent characters (such as "000") or sequential characters (such as "123", "abc").
4. Should not be a breached password. When you enter a password, we will check if it is found in any previous breaches using Troy Hunt's breached password collection. If it was, we will prompt you to enter a different password.
   

Set up recovery options

1. You forgot your password.
   
2. Someone else accessed your account and changed your password.
   
3. You have set up multi-factor authentication (MFA), but are unable to sign in due to some issue.
   

Setting up account recovery options will help you recover your access during these times.

Recovery email address/mobile number

A recovery email address or recovery mobile number will help you reset your account password if you get locked out. Make sure the email address or mobile number you add is:

1. Personal only to you.
   
2. Easily accessible.
   
3. Working and able to receive emails/SMS.
   

1. Go to accounts.zoho.com.
   
2. In the Profile tab, go to the Email Address or Mobile Number section.
   
3. Click Add Email Address or Add Mobile Number.
   
4. Enter your email address or mobile number, then click Next.
   
5. Enter the OTP you received, then click Verify.
   

Backup verification codes

If you are using Zoho OneAuth as your MFA mode, you can also set up a passphrase. This passphrase will allow you to recover access to OneAuth if you ever lose it.

Be aware and careful of phishing attempts

How to identify a phishing email

1. Note the clarity of the email content. Check if the content is ambiguous and doesn't make sense. The content of the email will also generate a sense of danger and urgency.
   
2. Check if the sender's email address is suspicious. Typically, the attacker will use a domain that is slightly different from the actual domain they are posing as. So, look out for spelling mistakes. For example, zohocrop.com instead of zohocorp.com. They may also use the name of the company in the first part of the address, such as, zohosupport@abc.com.
   
3. Check the URLs of the links and buttons present in the email. The text of the URL may seem normal, but it might be linked to a different URL. For example, the text may read "Renew Payment" or "Confirm Account"; but they are, instead, linked to a malicious URL. Make sure you hover over the link and check the URL before clicking on it. Check for spelling mistakes and suspicious domain names in the URLs, too.
   

What to do if you suspect an email to be a phishing email

1. Never reply to this type of email with your passwords or other personal information. Zoho never asks for your password via emails.
   
2. Think before clicking the links in the email.
   
3. If you open a link, never enter your credentials on the web page or give out any personal information.
   
4. Think if the action you are prompted to do in the first place requires entering your credentials.
   
5. Don't download any files attached to the email.
   
6. If you are part of an organization, contact your IT department. If you are an individual user or if your organization doesn't have an IT team, mark the sender as spam.
   
7. For any assistance, contact our support team at support@zohoaccounts.com.
   

What to do if you get affected

1. Change your account password. Make sure you set a unique password that isn't used on any other website or app.
   
2. Enable multi-factor authentication (MFA) if you haven't already. We recommend you secure your account using Zoho OneAuth–our own authenticator app.
   
3. Review your account access. If there is any malicious activity in your account, you will be able to identify it.
   
4. If you need any further assistance, contact our support team at support@zohoaccounts.com.
   

Identify suspicious sign-ins via email alerts

1. New sign-in to account alert
   Receive email alerts whenever your account is signed in from a new device, browser, or location.
   
2. Third-party app access alert
   Receive email alerts whenever your account is accessed from a new third-party app or location. Example: IMAP/POP clients such as mail apps and calendar apps.

1. Go to accounts.zoho.com.
   
2. Click Settings in the left menu.
   
3. In the Preferences section, under Email notifications, enable the required alerts.
   

Use app-passwords for third-party apps

Enable multi-factor authentication

Secure account using IP restriction

Review account access