Usually, you can tell a legitimate Google notification from a phishing scam by reading the URL's domain name — a message that redirects you to a non-Google address is sure to be a scam. However, a sophisticated phisher has come up with a method of stealing Google login information by using the company's own servers against it.
Sunnyvale, Calif.-based security firm Symantec discovered the phishing attempt and reported the incident on its blog. The scam comes in an email titled "Documents," and encourages users to click on an included link to check out an important message on Google Drive.
This link leads to a login page hosted on a bona fide Google URL, complete with secure sockets layer (SSL) authentication. The login prompt is identical to that of a real Google site, inviting users to sign in for "One account. All of Google." Those who log in get access to a Google Drive document which says nothing of great import.
Of course, the document isn't the point; the point is that the phishers now have access to a user's Google account. This gives them access to Google Drive documents, private email and, perhaps most damning, payment information for Google Play.
The trick works because the lure document is actually hosted on Google Drive. Combined with the convincing login page, this trick could theoretically fool the tech-savvy as well as the uninformed.
Still, cautious users would still spot a few red flags in this otherwise-clever scam. First of all, the email itself does not come from an official Google email address, even if its preferred display name indicates otherwise. Clicking on links embedded in emails is also generally a bad practice, although in this case, even copying and pasting it would still bring a user to a "verified" Google page.
If you get an email message purporting to come from a big organization such as Google, it's generally a good idea to check the content of the email against the company's official blog or Twitter feed. A company will rarely institute policy changes without informing its users on a grand scale.
Don't feel too bad if you got taken in by this one, but do change your password as soon as possible, and consider implementing two-step authentication for your Google account.