As Scott explains in the tweet, the only thing that alerted him to the potential threat was that the image used to trick him into thinking there was an attachment appeared slightly blurry on his high-resolution screen, a tiny detail that's easy to overlook if you're not paying attention or if you haven't had enough coffee in the morning. The Google/Gmail sign-in page is also alarmingly realistic, especially if you've become used to being randomly logged out of Gmail every once in a while. Sure, you might detect something fishy about the email -- its subject line, language in the text, etc. -- but you can see how people might fall for it, right?
Thankfully, there are specific things you can look for to spot a fake and avoid falling for the convincing trick. Along with beefing up your password and setting up two-step verification on your Gmail account, here's what Satnam Narang, Senior Security Response Manager at Norton by Symantec, told Refinery29:
"The best way to identify this attack is to look at the address bar. In this case, look for the words 'data:/text/html' at the beginning of the URL. If you see this, close the browser tab and alert your friend that their account has been compromised."
Two-step verification is a key defense because even if the malicious hacker has your password, they would also need the verification code Google sends to your separate device that's needed to successfully login to your account, according to the Forbes report. Being a bit skeptical of random emails from friends and other contacts might help, too.
As always, be careful out there.