20/01/2017 11:09 GMT | Updated 20/01/2017 11:11 GMT

Gmail Phishing Scam Is So Convincing It's Tricking Even The Pros

Do you know the warning signs?

A Gmail phishing scam has been discovered that’s so realistic it’s even fooling people who would normally pride themselves on being security-savvy.

Discovered by a researcher at WordFence this particularly nasty scam looks real right up until the last minute making it incredibly hard to detect.

In this instance the scam tricks users into handing over their Gmail login details. Of course it’s not just your Gmail login details because once the criminal has the password they can access any of your Google services including Drive, Android Pay, YouTube and more.

So how does it work?

You will receive an email from a colleague or friend that contains a tailored subject line that makes sense to you.

There will be an attachment at the bottom that looks like either .pdf file or perhaps a document that you’re likely to open.

If you click on it, rather than opening the document it’ll lead to a Google account login page, except it isn’t a Google login page at all.


As you can see from the image above the deception is incredibly realistic, in fact even if you looked at the website address for the page you would see what appears to be a genuine Google URL.

As you can see from the URL there are some important pieces missing, and to be honest you would only know that if you knew what you were looking for.

For starters there’s no ‘https’, the signifier that the web page you’re on is secure and verified.

Secondly if you look to the very far right of the URL there is in fact a long line of code.

So what happens next? Well if you were unfortunate enough to enter your login details then we’ve got some bad news, they’re now in the hands of a hacker.

As one commenter on Hacker News points out, this is professional stuff.

“It’s the most sophisticated attack I’ve seen. The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.”

How can you protect yourself?

To be quite honest there is no way for a conventional virus checker to stop you from falling for this.

The only way to defend yourself is to be vigilant, if a friend or colleague sends  you an attachment check it thoroughly before clicking on it. If you do click on it immediately check the web address and verify that it has taken you to a place that you expected to go to.

The only web address you should be seeing if you click on a Google or Gmail login link is this:

Google are apparently aware of the phishing scam and issued an official statement to WordFence containing the following:

“We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”

 Best Password Managers:

  • 1 1Password
    1Password is the 'Swiss army knife' of the group. It'll run on almost anything. It's also one of the easiest to use as well thanks to an ultra-simple interface. Rather than using autofill, 1Password uses extensions in Chrome, Firefox and Safari which gives you quick and easy access to your vault on any of your computers. The iPhone app uses Touch ID. This is a great all-rounder for the single user who just wants a complete solution. Price: $49.99 (Single license)
  • 2 Dashlane
    DashLane is the team player out of the three options here. Offering a similar user interface to 1Password, Dashlane is simple to use and powerful to boot. If you run a small business or even a big business however then this could be the service for you. With variable sharing options you can send passwords to colleagues that also have Dashlane while keeping the password secure even from them. All they have to do is accept, and the app will log them in to the service without them ever having to see the login credentials. It'll work on iOS, Android, Mac and Windows. Price: $39.99 per year.
  • 3 LastPass
    LastPass may be last on the list but it's definitely not the least. This is the veteran password manager and as such has the most features. It'll run on every platform and through every site, it's also customisable to a professional degree with support for biometrics and almost any other authenticating technology you can think of. It may be a little more complex to use but once it's set up LastPass is arguably the most flexible in terms of creating a service that you want. Price: $12 per year