{"slug": "a-potential-client-almost-cost-me-my-google-account", "title": "A Potential Client Almost Cost Me My Google Account", "summary": "A web developer nearly fell victim to a sophisticated phishing attack disguised as a Calendly booking link from a potential client, HitBox Games. The attacker used a fake browser window mimicking Google's login page to steal credentials, but the developer noticed irregularities and avoided entering their password.", "body_md": "Yesterday I received a project request through my website.\n\nIt didn't sound too unusual although it was very vague which is usually a sign for a bad paying client.\n\nI replied, signaled interest and asked for some more information about the project.\n\nThe response came just 2 hours later:\n\nObviously written by an LLM.\n\nNothing unusual though, lots of people write their emails assisted by LLMs these days.\n\nSomething else caught my eye...\n\nLook closely:\n\nThat doesn't look very... professional. It especially seemed strange coming from a woman working from UAE.\n\nMaybe she's \"more open-minded\" and doesn't realize that her personal Gmail avatar is being shown to everybody she emails for work.\n\nWe go 2 more emails back and forth and I eventually attempt to book a call.\n\nThis is where it gets weird.\n\nI click on the link in the email.\n\nHmm... I was expecting a redirect to the Calendly website but the Calendly form actually opens on the client website's URL.\n\nOk, maybe they've embedded the form in an iframe or you can somehow self-host Calendly forms now.\n\nI take the opportunity to check out the website from this company \"HitBox Games\".\n\nThe games they publish sound ridiculous:\n\n- Robot Transform War Car Games\n- Indian Bike Gangster Simulator\n- Spider Action Fighting Game\n- Spider Rope Action Game\n\nWhat?\n\nThey look like low quality ripoffs that you get these annoying mobile ads for.\n\nLet's see if this is for real.\n\nI follow the links to Google Play.\n\nIt looks legit. 10M downloads! Seems like there's a big market for \"Indian Bike Gangster Simulator\".\n\nThe reviews are not bad and the screenshots actually look like a well-made game.\n\nAt this point, I'm of course still open to working on a project for them. I may not be the target audience of their product but I'd still build a website for this company!\n\nLet's get back to booking the call.\n\nNext week Wednesday sounds good...\n\nBefore I can continue, I need to log in with Google.\n\nSurprisingly bad UX coming from Calendly. I didn't realize I need to log in before clicking \"Schedule\". Shouldn't they have optimized the hell out of these forms?\n\nAlso, it shows \"Mountain Time\" as the timezone. Surely Calendly should be able to detect my local timezone without problems. Weird!\n\nI click \"Sign in with Google\" and a Google-branded loading spinner appears:\n\nWeird, never seen this one before.\n\nAlso notice how the loading spinner is Google-branded but the URL of the website is still the prospective client's.\n\nNext, it gets uncanny.\n\nI'm presented with something that looks like the \"Verify your identity\" screen that I'm shown what feels like 10 times per day.\n\nBut something's off.\n\nThe Google logo doesn't look right, the font is unusual, the \"Next\" button looks outdated.\n\nBut the URL is definitely Google's. I even see the green lock symbol which means that Chrome identifies the company/site as trustworthy or something like that (I should probably know this).\n\nAt this point I'm still very skeptical and I'm looking closely at the URL to see if it's one of these typo URLs or if it uses any lookalike symbols.\n\nI can't find anything. The domain is definitely `accounts.google.com`\n\n.\n\nWhen I open 1Password and it doesn't suggest me my Google login, I know that there's no chance this is legit.\n\nBut why does the URL look so real? How did they pull that off?\n\nAs I look closer, I notice that the URL bar looks a bit weird.\n\nAnd then it hits me: this is not a real window!\n\nI can't drag it outside of the viewport's bounds, the traffic light buttons don't work (except for the close button) and the \"Secure connection\" popover is the definite giveaway.\n\nThis isn't a real browser window and I can inspect it with the devtools:\n\n## Conclusion\n\nWow, this is the first time that I've gone this far through a phishing funnel and I can't quite believe it.\n\nI'm a web developer and obsess over individual pixels all day, so I usually spot phishing sites in less than 10 seconds.\n\nWhy was this so effective?\n\nMaybe I just had a long day and I'm tired. That could definitely be why this got me.\n\nBut I think something else was different about this one:\n\nThis is the first time I had a seemingly real email conversation with somebody who turned out to be trying to phish me.\n\nNormally I only get this from cold / spam emails but this person actually contacted me through the form on my website. And they only sent the phishing link after I had replied to them.\n\nRight now there were still a lot of obvious tells but these phishing attempts are only going to get more sophisticated over time.\n\nIt's still strange to me how they paid extra attention to certain details.\n\nFor example, the Google login flow supports dark mode:\n\nAnd the Sign In screen looks very convincing with the slightly-janky loading animation and the Material UI-style floating labels:\n\nBut then they don't localize the timezone and don't use the real Google logo.\n\nI wonder if these scammers are doing some kind of funnel optimization. Maybe more people fall for their tricks if their fake login forms support dark mode.\n\nOr the supposedly attention to detail in certain areas is just whatever their coding agent decided to clone more accurately.\n\nAnyways, I hope this little story was somewhat entertaining. Be wary of companies trying to hire you to build a website for \"Spider Rope Action Game\".\n\nP.S.: It seems like the [apps on Google Play](https://play.google.com/store/apps/dev?id=4693730298341895537) are actually real. This scammer\nprobably just created a fake website with the same company name as the one that\nactually created those games.\n\nP.P.S.: The supposedly fake website for \"HitBox Games\" ranks pretty high on Google. I wonder if the website could be real and they just got hacked.", "url": "https://wpnews.pro/news/a-potential-client-almost-cost-me-my-google-account", "canonical_source": "https://maxschmitt.me/posts/phishing-attempt", "published_at": "2026-06-18 10:07:19+00:00", "updated_at": "2026-06-18 10:23:21.672749+00:00", "lang": "en", "topics": ["ai-safety", "developer-tools"], "entities": ["HitBox Games", "Calendly", "Google", "1Password"], "alternates": {"html": "https://wpnews.pro/news/a-potential-client-almost-cost-me-my-google-account", "markdown": "https://wpnews.pro/news/a-potential-client-almost-cost-me-my-google-account.md", "text": "https://wpnews.pro/news/a-potential-client-almost-cost-me-my-google-account.txt", "jsonld": "https://wpnews.pro/news/a-potential-client-almost-cost-me-my-google-account.jsonld"}}