Gmail users: Watch for sophisticated scam

The Google Pixel phone is displayed next to a Daydream View virtual-reality headset, right, following a Google product event in San Francisco in this file photo from 2016.
The Google Pixel phone is displayed next to a Daydream View virtual-reality headset, right, following a Google product event in San Francisco in this file photo from 2016. File photo

A devious new scam targeting Gmail users shows you can’t trust that any email is safe, even if it comes from someone you know and appears to be part of an ongoing conversation.

Cybercriminals are hacking Gmail accounts and using the email chains they find there to send personalized scam messages to people the account holder previously corresponded with. The emails use the same subject lines and file attachment names that were used on previous email exchanges, making them appear legitimate.

But the fraudulent messages contain an attachment that when clicked on directs the recipient to an authentic-looking Gmail screen that prompts them to log in. Anyone who does gives their email log-in credentials to the scammer, who then can exploit their account.

The crooks cash in by checking your emails for information that will give them access to your bank and other financial accounts, said Robert Capps, vice president of business development for NuData Security in Vancouver, Canada.

“What’s really damaging, what’s really powerful about attacks like this is that a consumer email account is often the key to other accounts,” he told me.

Think about your emails. There probably are messages from banks, retailers and service providers. Capps said customers often can reset their passwords through those emails, which means the cybercrook can do the same.

“You can take over a large number of accounts without ever having to know the passwords to any of the other accounts,” he said.

This fraud is especially sophisticated because the fake Gmail login page doesn’t trigger any warnings from your Web browser, such as changing the padlock icon that we’re used to checking from locked to unlocked, Capps said. It also doesn’t change the color of the lock to red, which is another warning sign that a website may not be safe.

Like with most swindles, though, there is a flaw that would alert people who are paying attention to the smallest details.

The Web address of the fake Gmail login page has additional text at the beginning, according to Wordfence, a company that provides security for WordPress websites.

The web address includes the familiar “,” making it appear legit. But that is preceded by the prefix “data:text/html.”

“Make sure there is nothing before the hostname ‘' other than ‘https://' and the lock symbol,” Wordfence said in a report about the scam on its blog a few weeks ago.

Another thing that should tip you off is that you are being asked to log into your Gmail account when you already are logged in. There should be no reason for you to do that.

Google said it is aware of the issue and strengthening its defenses against it.

“We help protect users from phishing attacks in a variety of ways, including machine learning-based detection of phishing messages, safe browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more,” it said in a statement.

This scheme emphasizes why it’s important to keep your email accounts secure. If you don’t consider the security of your email account to be as important as the security of your other accounts, such as your financial ones, think again.

“It’s a gateway to the rest of their accounts,” Capps said.

The initial email account that is exploited could be accessed any number of ways, including other phishing scams or from information stolen in a data breach.

Change your email passwords often and don’t use the same combination of user names and passwords on multiple accounts. If one gets stolen, clever criminals will try that combination on other websites, too.

Google said users also can activate two-step verification to increase account protection. In that process, users must enter a one-time code that’s sent to them by text message or phone call, in addition to their password, to log in.