Hackers get hands dirty to lock out users and send contacts more spam.
Google has published a study warning users about "manual hijacking", in which a hacker targets a single victim’s account.
According to the search engine, such incidents only account for nine incidents per million users, but when successful can lead to money being stolen from the victim.
Elie Bursztein, anti-abuse research lead at Google, said: "Manual hijackers often get into accounts through phishing: sending deceptive messages meant to trick you into handing over your username, password, and other personal info.
"For this study, we analysed several sources of phishing messages and websites, observing both how hijackers operate and what sensitive information they seek out once they gain control of an account."
Some fake phishing sites fooled users as much as 45% of the time, though users only submitted credentials to such pages 14% of the time on average.
A fifth of the time hackers would access the account within half an hour once they had obtained the login details, usually spending more than 20 minutes inside searching for other data and locking the account owner out.
"Hijackers then send phishing emails from the victim’s account to everyone in his or her address book," Bursztein added. "Since your friends and family think the email comes from you, these emails can be very effective."
He warned users to be suspicious of messages asking for personal data, to make use of two-factor authentication requiring more than just a password, and to implement backup procedures in order to take back control of stolen accounts.