Usually the email comes from a known account and have an attachment image resembling a PDF file.
If the user clicks on the attached image, a new window will be opened asking for the user to login using his Gmail account.
The address bar says “account.gmail.com” so it looks legit, but the address begins with “data: text/html” and points to a fake login page.
If you insert your login details the hackers steal your account.