There are phishing scams, and then there are those that are so damn clever that… sorry, scratch that. Phishing scams are the worst, and those that run them deserve infuriatingly slow internet access for the rest of their damned lives.
This new one doing the rounds in Gmail inboxes is one that appears to include an attachment, which in reality isn’t an attachment at all. Instead, it’s just an embedded image that looks like one:
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh
— Tom Scott (@tomscott) December 23, 2016
If you click it, as we’re generally wont to do when we spot an attached file, you’ll be taken to a Google sign-in page where you’re asked to enter your password. Of course, this is also fake; Lifehacker notes that the page is actually a data URI with the prefix “data:text/html”, not the usual HTTPS-secured URL that you’d expect. Falling into the attackers’ trap could see them misuse your credentials for all kinds of things, including sending more such scam emails to your contacts.
As IP protection firm WordFence noted, Chrome v56.0.2924 attempts to address issues like this by displaying a “Not Secure” message in the address bar on the form page – but it’s not likely that everyone will spot it. In addition to checking the URL the next time you click an attachment in Gmail, be wary of attachments from people you don’t know – and people you do as well, because their accounts may have been compromised.