A highly sophisticated phishing scam is targeting Gmail users and it's so convincing, it has even duped technical users.
The way the phishing technique works, according to the CEO of Wordfence which provides security to Wordpress websites, the attackers will send an email to a Gmail account that appears to come from someone a user knows, along with an attachment that may be recognizable from the sender.
Once the user clicks on the image, instead of giving a preview of the attachment, it opens up a new tab to sign into Gmail, which looks just like the real thing.
As soon as the user signs in, the account is compromised and the hackers will then go through the user's emails, and send emails from the hacked user's account to people on their contact list using an actual attachment the user has used before to dupe the next round of users.
In one reported example, a student was targeted, and hackers generated an attachment with an athletic team practice schedule with an actual subject line the user has used before and sent emails to the student's contact list to gain access to those users' accounts.
To protect yourself from this scam, before you sign in, always make sure to check the browser location bar to make sure you're signing into the correct website. The URL should have nothing else except for https:// and the lock symbol next to it. In the phishing scam, there is extra text before the full URL. (See photo gallery above).
Google is aware of the phishing scam and has issued a statement to Wordfence:
“We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”