Incidents of manual hijacking -- where professional attackers spend considerable time exploiting a single victim's account -- are still rare at about nine incidents per million users per day, but the impact can be severely damaging, Google said in a study.
    
"The damage manual hijackers incur is far more severe and distressing to users and can result in significant financial loss," it added.
    
Google said these "needle-in-a-haystack" attacks are very challenging and represent an ongoing threat to Internet users.
    
Manual hijackers often get into accounts through phishing attacks by sending deceptive messages meant to trick users into handing over username, password and other personal information.
    
"Of the hijacking case samples we analysed, we found that most of the hijackers appear to originate from five main countries: China, Ivory Coast, Malaysia, Nigeria, and South Africa," it said.
    
The study found that criminals attempted to access 20 per cent of the accounts within 30 minutes of attack. Once logged in, manual hijackers profile the victim's account and spend an average of three minutes to assess the value of the account before exploiting it or abandoning the process.
    
It added: "This step entails searching through the victim's email history for banking details or messages that the victim had previously flagged as important. We also see attackers scanning through email contacts which are then either solicited for funds or targeted with a salvo of targeted phishing emails."
    
Google said that using a second authentication factor like a phone, has proven the best defence against hijacking.
    
"While second factor authentication has some drawbacks, we believe that it is the best way to curb hijacking long term," it added.