The phish appears as a Google Calendar email notification, and it appears to be identical to a standard Google Calendar invitation to an event. The phish has a bit more credibility than most, because the data thief actually uses a real Gmail account, and the recipient is addressed by their real name, and it is a legitimate, genuine Calendar invitation to an event. When the recipient clicks on the invitation, they are taken to the phisher’s real Gmail Calendar.
But that’s when it gets suspicious. The event invitation includes a notice that claims to be from “Gmail Customer Care”, and informs the recipient that due to some claimed difficulty, Google will close the recipient’s Gmail account unless they verify by sending their Google username, password and date of birth. It sounds suspicious, but since you are really on Google’s site, it’s possible that the red flags may not rise right away. Of course, Google wouldn’t include such a message.
As is the case with many of these spam attacks, there are misspellings and a suspicious return email. The notice comes from the Google “Customer Varifaction” department (as opposed to Customer Verification), which should tip off recipients right off the bat. Google does, at least one would assume, have proofreaders on staff and would not make such an error. Also, the return Gmail address includes a random four digit number, which is also unusual and should tip off the recipient that something’s very wrong about this notice. It’s a clever ruse, because it uses a legitimate Google Gmail account and a real Google Calendar–but not too clever that you can’t see through the scam if you’re paying attention.