Phishing scam sweeping Gmail users is so realistic it's even baffling IT experts – but how can you avoid it?

A NEW email phishing scam so "convincing" it has duped even IT experts is tricking millions of Gmail users worldwide into handing hackers their passwords.

The scam, described as one of the most professional cons to date, fools users into providing their Google log in details and allows the hacker to rifle through their emails.

Worryingly the scam email can appear to come from someone in a user's own address book and copy their style of writing, making it seem genuine to the victim, reports MailOnline.

The fake also sweeps easily under the radar using simple attachments you'd expect to see on an email, such as a PDF.

But when the user clicks on it they are directed to phishing pages – even though they appear to be Google's own log in page.

Related stories


Meghan Markle's half-brother was more than DOUBLE the drink-drive limit when cops arrested him for 'holding gun to girlfriend's head'


Twin sis of Jill Saward – the first sex victim to waive anonymity – pays emotional tribute at her funeral


Cops arrest two over images stolen from Pippa Middleton's iCloud account


Shocking footage shows thugs armed with hurling sticks fighting outside a primary school as parents arrived to collect children

The Gmail account becomes compromised as soon as the person enters their details and once logged in the scam is simple to pass on as the hacker can then easily send the fake email on to others through the user's contacts.

Most troubling of all about the trick is that it does not seem to trigger Google's HTTPS security warnings – which normally alert users when they've arrived on an unsafe site.

According to MailOnline, the scam was discovered by Mark Maunder, CEO of Wordfence, the security service for WordPress.

The expert said that the scam was so convincing that it even fooled "experienced technical users".

A poster on the Hacker News website, an IT person whose school server suffered an attack, described what happened once they signed in to the fake page: "The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.

"For example, they went into one student's account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team."

The attackers signing into your account happens very quickly, experts warn.

Writing on Wordfence, Mr Maunder said: "Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.

"Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more."

How to avoid falling victim to the scam:

Experts recommend setting up a two-factor authentication on your Gmail account, such as a code being sent by text message, to add an extra level of safety.

Keep a look out for the prefix "data:text/html" in the browser location bar – which is a sign of a fake web page – nothing should come before "" other than "https://" and the lock symbol.

Take special note of the green colour and lock symbol that appears on the left. If you can't verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.


Source: Read Full Article