Beware This Clever 'Fake Attachment' Gmail Phishing Scam

With a little know-how, most phishing scams are pretty easy to detect. This one, on the other hand, is devilishly clever and just might dupe you if you're not careful.

The fake Google sign-in page looks exactly like this.

The way this phishing scam works is simple. Wordfence, who brought light to the scam, says the attacker creates an email address to disguise themselves as someone you know. Then they send you an email with an attachment, like a PDF or Word doc, that looks legitimate. When you click the attachment to see a preview of it, you get redirected to a Google sign-in page where you enter your credentials.

Here's the trick: Those attachments aren't attachments — they're embedded images designed to look like attachments that link out to a fake Google sign-in page. You can see an example of how real they look in Tom Scott's tweet below.

What's worse is that everything about the fake Google sign-in page looks normal. The logo, text boxes, and tagline are all there. The only difference is in the address bar, where careful eyes will see that the page is actually a data URI with the prefix "data:text/htyml", not a URL with the standard "https://". But if you don't spot it, the attackers get your information and use it to send out more of the same phishing emails to your contacts.

Google has since updated Chrome to 56.0.2924, which makes it easier to spot fake forms like these, but it doesn't exactly stop this type of scam dead in its tracks. And whether you use Chrome or not, it's important to stay vigilant and keep your eyes peeled when checking email.


    I got one of these over the weekend, only it was for Dropbox!

    I've fallen for an eBay one that I just realised too late. I got redirected from a site when I was buying stuff online. eBay page looked normal. Login Screen looked normal, but when I entered my password it said it didn't recognise it and I had to reset because I thought I might have forgotten. From there I was prompted to enter my phone nr and email address. I got a text and everything with the code. Yet every time I reset the password to one I could remember, it didn't want to log in. After about 5 attempts I had enough.

    Later that day, someone accessed one of my email accounts which was linked to my Skype account and also another gmail account. I only noticed this because my Skype had turned Russian for no reason, and strange activity was happening on the other account. I managed to somehow quickly change passwords on them before anything permanent happened. But they kept trying on my gmail account. Pretty scary shit.

    Then I realised my mistake. the site was fake prompting me to put a password in every time. And what do we all do when we are in a hurry? Remember an existing password from another account and use that. So the culprits just had to guess which password goes where, and bam.!

Join the discussion!

Trending Stories Right Now