Phishing attacks usually involve bad spelling, obviously fraudulent URLs, or attachments that no one in their right mind would open. Good cyber criminals know that the public is getting wise, which is why their methods keep on getting sneakier.

Take this new method, for example: It’s been making the rounds for a few months now, but is just now coming to light as those affected realize what’s happened. It’s sneaky, effective, and even those who know their stuff are falling prey.

If you don’t use Gmail then you don’t need to be worried about this attempt to steal your credentials–it’s only targeting Gmail users.

How it works

It all starts in a Gmail account that has already been compromised. Reports say that perpetrators are accessing hacked accounts immediately and sending phishing messages to other Gmail addresses in the hacked accounts contacts list.

An email lands in the target inbox from the hacked address, and here’s where it gets tricky: The phishing email uses a legitimate subject line, text, and attachments from emails already sent by that account, making it look completely legitimate.

SEE: IT Communication Plan: Raise security awareness with regular emails (Tech Pro Research)

The phishing email comes with an “attachment” that is actually a screenshot of an attachment sent by that account in the past, like a spreadsheet or a PDF, for example. The trick is that the fake attachment screenshot is an embedded image with a link in it that takes the victim to what looks like a Google login page.

Thinking they need to re-authorize their account to view the attachment the user logs in, and their account is now in the hands of hackers. The cycle starts all over again–just one compromised account has the potential to affect dozens more.

Defending against it

This is one of the trickiest phishing methods yet because it’s so hard to detect. Even the URL of the fake login page looks real: It even contains the domain. There’s just one exception, and it’s the key to avoiding it: The URL is preceded by “data:text/html.”

That prefix is telling your web browser to treat the document at the phishing website as HTML, which in turn is generating an address that looks just like a real Google login page, complete with the appropriate URL. The second you log in hackers have access to your account, and victims have said they’re taking advantage of it right away.

SEE: Infographic: How to identify and avoid phishing attacks (TechRepublic)

Avoiding this particularly insidious phishing attack relies on personal diligence. When you click on an attachment of any kind be sure to pay attention to the web address in your browser. If it’s preceded by data:text/html don’t log into it.

Take time to secure your Gmail account now

You don’t need to wait for a hack to secure your Gmail account. Now is the time to take advantage of other security methods like two-factor authentication.

Sure, it can be a bit annoying to wait for a code every time you login from a new device, but it’s worth it: Your life is in your email account. No one else should have access to that information besides you and those you trust.

The 3 big takeaways for TechRepublic readers

  1. A new Gmail phishing attack is using legitimate emails and attachments from people you know to trick you into clicking on a message.
  2. Clicking on the fake attachment directs victims to a fake Google login page. The only way to tell it isn’t real is to look in your browser’s address bar: Fake sites are preceded by data:text/html.
  3. Two-factor authentication is a good way to proactively secure Google and other accounts from phishing and hacks. Take the time to do it now.

Also see