Security researchers have discovered a new phishing campaign targeting Gmail users, which is so convincing and highly effective that even tech-savvy people can be tricked into giving away their Google credentials to hackers.

The malicious emails come from one of the targeted user’s contacts and they appear to carry a PDF document that can be previewed directly from Gmail. However, clicking the “attachment,” which is actually an embedded image, takes the user to a Gmail phishing page. The URL of this phishing page starts with “data:text/html,https://accounts/google.com,” which could lead many users to believe the site is legitimate, especially since the web browser does not display any certificate warning. The legitimate-looking part of the URL is followed by white spaces, which prevent the user from seeing any suspicious strings, and an obfuscated script that opens a Gmail phishing page in a new tab.