Gmail is the latest victim of a phishing scam that is even fooling experienced technical users.
The scam is being described as one of the most convincing yet, and tricks users into giving their Google login details, allowing the attacker to sift through their messages.
Emails containing the rogue attachment can come from people in the recipient’s own address book, and attacker can even copy their style of writing, convincingly passing the fake email on to the victim’s contacts.
The fake email uses image attachments that look like a PDF file.
When you click on the attachment, you are directed to phishing pages, disguised as the Google sign-in page.
If you enter your details, your Gmail account becomes compromised, allowing the attacker to sift through your sent messages folder and pass on the scam.
Even more worryingly, the phishing pages do not seem to trigger Google’s HTTPS security warnings, which normally warn users if they land on an unsafe page.
The scam was discovered by Mark Maunder, CEO of Wordfence, the security service for WordPress.
To avoid being a victim of the scam, Mr Maunder recommends enabling a two-factor authentication, and keeping a look out for the prefix ‘data:text/html’ in the browser location bar – a sign of a fake web page.
He said: ‘Make sure there is nothing before the host name ‘accounts.google.com’ other than ‘https://’ and the lock symbol.
‘You should also take special note of the green colour and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.’