These days most phishing emails are pretty easy to spot. They appear to be from a financial institution you have never patronized or from a utility company in another part of the country.
In an alert posted on its blog, Wordfence, which produces security products for Wordpress, explains how the Gmail scam is different.
For starters, the objective is to learn the user's log-in credentials, so the Gmail account can be used to perpetuate the scam and eventually assemble an army of compromised accounts that can be used to distribute spam.
Dangerous familiarity
The first thing that makes this scheme so effective is familiarity. The bogus message comes from someone you know. That's because that person's account has been compromised and the scammer is sending phishing emails to everyone in the contacts list.
So instead of coming from a bank you've never heard of, the message appears to come from a friend.
At the bottom of the email there is an attachment -- or what appears to be a Gmail attachment. But it's not. It's actually a graphic representation of what Google uses to indicate an attachment.
If you click on the "attachment," a file does not open as a normal attachment would. Rather, you are taken to a page that looks exactly like Google's Gmail log-in page. There, you are asked to enter your credentials to log into your account again. If you do, the scammer immediately seizes your account information, logs in, and begins sending the phishing email to everyone in your contacts.
Looks just like the real thing
Wordfence says everything about the bogus sign-in page looks authentic, down to the Google logo and slogan. There's only one way to tell it isn't the real thing -- the browser's address bar.
The URL, which at first glance might appear legitimate, is preceded by the prefix "data:text/html." It's known as a data URL, which embeds a file instead of directing you to a location on the internet.
How can you protect yourself? Wordfence says when you check the URL, make sure there is nothing before the hostname "accounts.google.com" other than ‘https://'. You should also look for a green color and lock symbol that appears on the left.
Also, be wary of all email with attachments, even from friends. If you click on an attachment and, instead of opening a file it asks you to log into your account again, back out and delete the email.
Wordfence has published a response it said it got from Google, instructing users to pay close attention to the URL. The company response said any fix that would to try to detect phishing pages based on their look "would be easily bypassable in hundreds of ways."
In other words, you're on your own.