This New Gmail Phishing Attack Is Disturbingly Effective

Thanks to online security measures like two-step verification and password security apps, there are plenty of straightforward ways to protect yourself from latest phishing scams and other malicious exploits on the Internet. But despite your efforts or how savvy you are, a phishing attack targeting Gmail users is so disturbingly legitimate-looking that it might just fool you. 

Here's how it works: you'll receive an email from a friend or someone you know that appears to include an attachment at the bottom like, say, a PDF. But in reality, the email contains an image that makes it look like there's an attachment, and when you click on it, you're taken to an equally convincing -- but fake! -- Gmail login page. This, as you may have guessed by now, is a trap hackers can use to collect your password, compromise your Gmail account, then use that access to compromise your other accounts and personal information, according to a report by Forbes. Oh, and after that, the malicious actors can target contacts in your account and do the same to them.

Here's an example of the attack, which was recently posted by Tom Scott on Twitter: 

As Scott explains in the tweet, the only thing that alerted him to the potential threat was that the image used to trick him into thinking there was an attachment appeared slightly blurry on his high-resolution screen, a tiny detail that's easy to overlook if you're not paying attention or if you haven't had enough coffee in the morning. The Google/Gmail sign-in page is also alarmingly realistic, especially if you've become used to being randomly logged out of Gmail every once in a while. Sure, you might detect something fishy about the email -- its subject line, language in the text, etc. -- but you can see how people might fall for it, right? 

Thankfully, there are specific things you can look for to spot a fake and avoid falling for the convincing trick. Along with beefing up your password and setting up two-step verification on your Gmail account, here's what Satnam Narang, Senior Security Response Manager at Norton by Symantec, told Refinery29:

"The best way to identify this attack is to look at the address bar. In this case, look for the words 'data:/text/html' at the beginning of the URL. If you see this, close the browser tab and alert your friend that their account has been compromised." 

Two-step verification is a key defense because even if the malicious hacker has your password, they would also need the verification code Google sends to your separate device that's needed to successfully login to your account, according to the Forbes report. Being a bit skeptical of random emails from friends and other contacts might help, too.

As always, be careful out there. 

Sign up here for our daily Thrillist email, and get your fix of the best in food/drink/fun.

Tony Merevick is Cities News Editor at Thrillist and can see how people would fall for this. Send news tips to and follow him on Twitter @tonymerevick.