Gmail is the latest victim of a phishing scam that is even fooling experienced technical users.

The scam is being described as one of the most convincing yet, and tricks users into giving their Google login details, allowing the attacker to sift through their messages.

Emails containing the rogue attachment can come from people in the recipient's own address book, and attacker can even copy their style of writing, convincingly passing the fake email on to the victim's contacts.

The fake email uses image attachments that look like a PDF file.


When you click on the attachment, you are directed to phishing pages, disguised as the Google sign-in page.

If you enter your details, your Gmail account becomes compromised, allowing the attacker to sift through your sent messages folder and pass on the scam.

Even more worryingly, the phishing pages do not seem to trigger Google's HTTPS security warnings, which normally warn users if they land on an unsafe page.

The scam was discovered by Mark Maunder, CEO of Wordfence, the security service for WordPress.

Maunder said that the scam was so convincing that it even fooled 'experienced technical users.'

A commenter on Hacker News, an IT person who's school server suffered an attack described what happened once they signed in to the fake page:

"The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.

"For example, they went into one student's account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team."


The attackers signing into your account happens very quickly, experts warn.

"It may be automated or they may have a team standing by to process accounts as they are compromised.

Writing on Wordfence, Mr Maunder said: "Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.

"Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more."

To avoid being a victim of the scam, Maunder recommends enabling a two-factor authentication, and keeping a look out for the prefix 'data:text/html' in the browser location bar - a sign of a fake web page.

He said: "Make sure there is nothing before the host name '' other than 'https://' and the lock symbol.

"You should also take special note of the green colour and lock symbol that appears on the left. If you can't verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page."