A phishing scam has apparently been plaguing Gmail users, potentially stealing their Google credentials by fooling them to open an email attachment.
Phishing scams are among the worst things on the internet and while generally they're fairly easy to spot for more tech-savvy users, some of them are more cleverly designed and manage to trick more people.
This is the case with the latest Gmail phishing scam, which at first glance looks pretty convincing and could fool plenty of unsuspecting users. As in all cases, however, phishing scams are not impossible to spot and avoid so here's what you need to know about this threat.
Gmail Phishing Scam: How It Works
This phishing scam has apparently been going on for quite some time, as Wordfence first warned about it back in January. Google has since taken steps to address it and in late February it made some tweaks to the Chrome browser to warn users in case they faced this phishing attempt.
As with many other scams like this, this Gmail phishing scam involves an attacker with an email address designed to appear as someone known to the user. They send an email with a seemingly innocent attachment such as a Word document or a PDF, but it's all a scam. Upon clicking the attachment to preview it, Gmail users are redirected to a Google sign-in page prompting them to enter their credentials.
How To Detect This Gmail Phishing Scam
As Lifehacker points out, those seemingly legitimate attachments are in fact embedded images crafted to pose as attachments that send users to a fake Google sign-in page to steal their Google credentials.
Although that sign-in page is fake, everything appears to look normal, complete with the Google logo text boxes and everything the legitimate Google sign-in page displays.
However, the address bar gives it away. Instead of a standard URL like "https://" the page actually masks a data URI that starts with "data:text/htyml." Consequently, to avoid falling victim to this phishing scam, take a good look at the address bar and check whether it looks like a legitimate URL or a data URI. If it's the latter, do not enter your Google credentials - just leave.
Google has updated its Chrome browser to warn against fake sign-in forms such as this one, but it doesn't stop the phishing scam altogether. It just shows a "Not Secure" message in the address bar of the page, and some users might not even spot it. At the same time, many users rely on other browsers that don't offer such warnings so the safest way is to just check the URL.
If you're using Google Chrome and you spot the "Not Secure" warning in the address bar, close the tab immediately. If you're using another browser and you spot the "data:text/htyml" giveaway for the URI, close the tab immediately.
For more information on how such scams work, as well as how to avoid and report phishing emails, head over to Google's dedicated support page.