This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

A new variant on the Google Gmail phishing scam has surfaced within the last month. What makes this phishing tactic more effective is that it looks like it came from a trusted source.

According to Robert Hackett of Fortune.com, “The attacker, usually disguised as a trusted contact, sends a booby-trapped email to a prospective victim.” The email appears to come from a friend on business associate. In reality, the account of the source has already been hi-jacked to perpetuate the scam.

Victims have reported receiving an email with a fake PDF invoice attachment. When the victim clicks on the attachment, they are sent to what looks like a Google log-in page. The spoofed Google page is crafted to look just like the true log in page. From there victims are urged to enter their log in credentials to “view” the invoice.

The reality: There is no invoice. Scammers are just looking for your login id and password. Once they have that, scammers will access your contacts and send out the same phishing email to them. The goal of this scam is to harvest as many login credentials as possible to 1) steal the identities of victims or 2) sell the information on the black market. Credentials of this nature are very valuable.

Why are so many people still falling for this type of scam, even though it’s been around for a long time? Scammers are becoming savvier and technically proficient at spoofing the exact look and function of legitimate websites, to the point that 97% Of People Globally Unable to Correctly Identify Phishing Emails, according to a McAfee for Business study.

How to safeguard yourself against this scam?

  • Be very skeptical of email attachments, even if they appear to come from a trusted source. If you receive and email like the one described above – an invoice for something you did not authorize – don’t click on the link.
  • If you are ever re-directed from an attachment to sign into Google or any other account, don’t do it. To verify the information in the email, log in to your account using a bookmarked link rather than the re-direct or a link provided in the email.
  • If you believe your Gmail account has already been compromised, contact Google directly.

For more tips from Google on how to keep your accounts secure, go to the Google Safety Center. To read more about this new Gmail Phishing Scam, go to Everyone Is Falling for This Frighteningly Effective Gmail Scam.

To report a scam, go to the BBB Scam Tracker. To find trustworthy businesses, go to bbb.org.