🟢 Beginner Summary

Phishing attacks are more sophisticated than most people realize. This case study traces the complete lifecycle of a credential-stealing phishing attack — from the attacker's setup to the moment your password is stolen — so you know exactly what to look for.

Table of Contents

  1. Setting the scene
  2. Phase 1: The attacker's setup
  3. Phase 2: Delivering the bait
  4. Phase 3: The victim's experience
  5. Phase 4: Credential theft
  6. Phase 5: What happens after
  7. How to prevent this
  8. FAQ

Setting the Scene

Meet Sarah. She's a 34-year-old marketing manager. She uses Gmail for work and personal email, has online banking set up, and is generally sensible about technology. She's not naive. She wouldn't click an email from a Nigerian prince.

And yet, on a Tuesday afternoon in between meetings, she's going to hand her Gmail password directly to an attacker — and she won't realize it for weeks.

This case study is a composite of real phishing techniques documented by security researchers. The attack shown here is not extraordinary — it's completely typical.

Phase 1: The Attacker's Setup

The attacker, operating from their home, doesn't need advanced hacking skills. The tools they use are largely commercially available — the same tools used by legitimate penetration testers, repurposed for fraud.

Building the Phishing Infrastructure

  1. Register a convincing domain. The attacker registers google-accounts-support.net — a domain that looks plausible to a distracted reader. Cost: about $12/year.
  2. Clone Google's login page. Using freely available tools, they create a perfect pixel-for-pixel copy of the Google sign-in page — same fonts, same logo, same layout, same error messages. The only difference: when you submit your credentials, they go to the attacker, not Google.
  3. Set up SSL (the padlock). Many people check for the padlock icon in their browser as a sign of legitimacy. The attacker gets a free SSL certificate for their fake domain. The padlock now appears on the phishing site.
  4. Configure credential harvesting. The fake login page sends captured credentials to a database the attacker controls — automatically, within milliseconds of submission.

🔴 The Padlock Myth

The padlock means the connection is encrypted — not that the site is legitimate. Attackers routinely use HTTPS on phishing sites. Never trust a site based on the padlock alone.

Phase 2: Delivering the Bait

The attacker has Sarah's email address. It was in a breach from a forum she signed up for in 2019 — her email is in multiple publicly available breach databases.

The email they send:

Simulated phishing email

From: Google Security Alert <no-reply@google-accounts-support.net>

Subject: Critical: Someone signed into your account from Romania

Hi Sarah,

We've detected a suspicious sign-in to your Google Account from a new device:

Location: Bucharest, Romania

Device: Windows PC

Time: Tuesday, April 22, 2026, 11:43 AM UTC

If this wasn't you, your account may be at risk. Please verify your identity within 24 hours to prevent account suspension.

Verify My Account Now

If you did initiate this activity, no action is needed. This security alert was sent to sarah@gmail.com.

© 2026 Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043

Why this email is effective:

  • It creates immediate fear (account accessed from a foreign country)
  • It creates urgency (24 hours to act)
  • It uses authority (appears to be from Google)
  • It has Sarah's real name and email address (from the breach database)
  • It includes a realistic address and copyright notice for legitimacy
  • The "device" details feel specific and technical, increasing trust

Phase 3: The Victim's Experience

Sarah receives the email on her phone during a break between meetings. She's slightly distracted, slightly stressed. The email looks exactly like previous security alerts she's received from Google.

She skims it. Romania. Someone in Romania tried to access her account. That's terrifying.

She taps the "Verify My Account" button. Her browser opens to a page that looks exactly — exactly — like Google's login screen. The URL shows something like google-accounts-support.net/signin but on mobile, the full URL is often truncated and she sees "google-accounts..." which looks fine.

She types her email address. She types her password. She hits sign in.

The page redirects her to a convincing "Account Verified — Your account is now secure" page, then automatically forwards her to the real Google login page, which shows her as already logged in. Everything seems fine. Problem solved.

Phase 4: Credential Theft

The moment Sarah typed her password and clicked submit, the attacker's server received:

  • Sarah's full email address
  • Her Gmail password in plaintext
  • Her IP address
  • Her device type and browser
  • The timestamp

The attacker doesn't even need to be at their computer. An automated script sends them a notification with the credentials within seconds.

Sarah has 2FA enabled — good. The attacker is prompted for a 2FA code, which they don't have. So they immediately try one of two advanced techniques:

  • Real-time phishing relay: The attacker's fake page prompts Sarah for her 2FA code too ("For extra security, please enter the code sent to your phone"), which she enters, giving the attacker the one-time code in real time.
  • Session token theft: More sophisticated kits steal the browser session cookie after login — bypassing 2FA entirely.

Phase 5: What Happens After

Inside Sarah's email, the attacker:

  1. Sets up a silent forwarding rule — copies of all future emails go to attacker@proton.me
  2. Creates a filter that deletes any email with subject lines like "Security alert" or "New sign-in" from reaching Sarah's inbox
  3. Searches for keywords: "bank," "password," "invoice," "account"
  4. Finds Sarah's bank, resets the password using "Forgot Password"
  5. Transfers funds to a mule account

The forwarding rule means the attacker continues receiving Sarah's emails even after she changes her Gmail password. She doesn't find the forwarding rule for three weeks.

How to Prevent This

🔵 If Sarah Had Done These Things

  • Used a hardware security key or passkey for 2FA — these are phishing-resistant because they verify the actual domain. A real-time phishing relay can't steal them. Passkeys: even stronger.
  • Checked the URL carefully on desktop — the full URL google-accounts-support.net vs accounts.google.com would have been obvious
  • Used a password manager — Bitwarden would have refused to autofill the fake domain because it didn't match the saved entry for google.com
  • Verified out-of-band — open Google directly in a new tab (typing google.com manually) to check for actual security alerts
  • Checked Gmail forwarding rules regularly — even after recovery, the forwarding rule continued the damage

For more on spotting phishing attacks: What is Phishing?

For securing your Gmail specifically: How to Secure Your Gmail

FAQ

Would standard 2FA have stopped this attack?

Standard 2FA (SMS or authenticator app) adds friction but can be bypassed by real-time relay phishing kits. Passkeys and hardware security keys (FIDO2) are truly phishing-resistant and cannot be relayed.

How common are attacks like this?

Extremely. The Anti-Phishing Working Group tracks hundreds of thousands of phishing campaigns monthly. What's shown here is a textbook attack using tools sold commercially on underground forums.

References

  • APWG Phishing Activity Trends Reports
  • Google Project Zero research on evilginx/phishing kits
  • Cloudflare research: Phishing-resistant authentication
  • FBI IC3 Internet Crime Reports