One tip-off you’re being targeted for an attack? If you receive a fake “unexpected sign-in attempt” notice that says an attempt was made to login to your account from “The Iran.” The alert could come from a text or, in Hakakian’s case, an email.

This email is sent by the hacker, not Google. But Google will eventually send an authentic verification code to your phone—and intercepted by hackers in the process, giving them access to your account.

“For this attack to work, the attackers must actively monitor the phishing page. Once the target enters their password into the phishing site the attackers likely use the credential to attempt to log in to GMail. The attacker’s login attempt then triggers the sending of a code from real Google to the target,” the report states. “They then wait for the target to enter the 2FA code from Google.”

Another version of the attack includes a phone call and an interview request from an English or Farsi-speaker who claims to be from the news agency Reuters.