An excerpt from the Gmail Blog :
“We use https to protect your password every time you log into Gmail, but we don’t use https once you’re in your mail unless you ask for it (by visiting https://mail.google.com rather than http://mail.google.com). Why not? Because the downside is that https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn’t travel across the internet as efficiently as unencrypted data. That’s why we leave the choice up to you.”
You could have understood that when you log into gmail, and once you are in your mail you are no more using https and so making your browser sessions unencrypted. In order to have your sessions encrypted every time you are into your mail, you can do this step:
After you are in your mail, Go to Settings -> General -> Browser connection and click on always use https. See this pic :
Common defenses :
Don’t click on any link that you are not confident of.
Don’t accept any file in chat sessions unless you are confident of the sender.