-
The Google harvesting ploy I saw recently was good. All they needed was access to one user and then it spread from there. They sent it to that user's contacts (and so on and so forth) so that the recipient wouldn't think it odd to receive a message from patient zero. It was formatted to only really work in a gmail inbox view. The email itself was just "here is that file/PDF I promised" and below there was what looked like a PDF attachment. Except, the "attachment" was actually a hyperlinked image to a convincing fake Google Drive login page. The victim would just think they had clicked on a PDF and needed to log in to Drive to view it. Once they enter their credentials, the login link would then take them to the real Drive page so they would just think there has been a glitch, log in again and be taken to their own real Drive page, not knowing that the phishers now had their Google (+ebay +PayPal etc etc) credentials.
Then they complete a transaction on ebay for an item they have set up, contact the victim from ebay who thinks someone else has fucked up so they might get something for free/cheap and hand over money through bank transfer for a nonexistent item/chunk of cryptocurrency.
That sounds pretty scary.
I had same login and pass.
Just like on 99% of other sites...
Lesson learned...
Thank you for the advice and explanation.