Skip to main content

Your email account can hold a lot of information on you. They can give insight into where you work, who your friends and family are, and even your banking details.

Fraudsters know that they can use this information against you. That's why they come up with new scams to try and get their hands on your details – their latest is a Gmail scam.

The scam tricks users into giving out their Google login details, allowing the attacker to look through their messages. To make sure you don't fall for this scam, we're taking you through what to look out for.

The details

The scam sees fraudsters target people with phishing emails. The fake emails come with an image attachment that looks like a PDF.

When you click on the attachment, it takes you to a fake page that looks like a Google sign-in page. This page doesn’t trigger Google's HTTPS security warnings, which normally happens when a user lands on an unsafe page.

If you enter your details, you will compromise your account. This will allow the attacker to look through your sent messages folder and forward on the scam to your friends. As a result, you can receive the email from people in your address book and fraudsters can even copy their style of writing to make it look convincing.

The attackers can use one of your actual attachments along with one of your subject lines to make the email seem genuine. For example, in one case they logged into a student's account and used an attachment with an athletic term practice schedule and related subject line to email other members of the team.

Once a fraudster has access to your email account, they can use it to reset your passwords for other services.

How to avoid the scam

Although this scam is fooling some experienced technical experts, there are certain things you can do to protect yourself.

• Never click on a link in an unsolicited email. Hover your mouse over it to find out the true destination of the URL – its address will show up in the bottom left-hand corner of the screen.

• Keep a look out for the prefix 'data: text/html' in the browser location bar. This is a sign of a fake page.

• Check that there's nothing before the host name '' apart from 'https://' and the lock symbol – these are signs that the site is secure.

• When receiving an email out of the blue, check that the address and the sender name match.

• Set up two-factor authentication on your email account. The system asks for a login and password as usual, but then sends a unique code to another device using text message or email. This will help block fraudsters.

And most importantly, trust your instincts. If something doesn't look quite right it probably isn't.

Fraudsters are getting more technical with their scams – find out if enabling browser autofill can put you at risk of fraud in our blog.

Legal Information