Google will never tell you this, but another technique that works well is to avoid webmail. My email login flow never, under any circumstance, involves entering a password into a browser. Ergo, if a web page requests my email password, it is not legitimate.
Even if you use native clients to read email, you can still be phished.
And if you hook your phone number to your google account, you can be worse than phished. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124