A highly sophisticated phishing scam is targeting Gmail users and it's so convincing, it has even duped technical users.
The way the phishing technique works, according to the CEO of Wordfence which provides security to Wordpress websites, the attackers will send an email to a Gmail account that appears to come from someone a user knows, along with an attachment that may be recognizable from the sender.
Once the user clicks on the image, instead of giving a preview of the attachment, it opens up a new tab to sign into Gmail, which looks just like the real thing.
As soon as the user signs in, the account is compromised and the hackers will then go through the user's emails, and send emails from the hacked user's account to people on their contact list using an actual attachment the user has used before to dupe the next round of users.
In one reported example, a student was targeted, and hackers generated an attachment with an athletic team practice schedule with an actual subject line the user has used before and sent emails to the student's contact list to gain access to those users' accounts.
To protect yourself from this scam, before you sign in, always make sure to check the browser location bar to make sure you're signing into the correct website. The URL should have nothing else except for https:// and the lock symbol next to it. In the phishing scam, there is extra text before the full URL. (See photo gallery above).
Google is aware of the phishing scam and has issued a statement to Wordfence: