The latest phishing for gmail is sending a scanned pdf, calling it a 'uri' instead of a 'url'. See if you can spot the difference! :) This puts up a really good Google login screen which is instantly sent away.
If you use gmail before you have your coffee, then this will get you. The only way to combat it is to use 2 factor authorization, since they can't know you have it. If they did know, then they would just set up another phoney screen.
Then the next step is to use a security key, but you really don't have to. Google now allows the equivalent of a security key by setting up one on your phone. Then you are just prompted if you are signing in on another computer, and you press 'yes'. This is all encrypted and is impossible to spoof. Do this today. :)