Don't Trust Gmail's Blue Checkmarks Because Some Hackers Might Abuse Them
Gmail is the most popular email service in the world, thanks to a variety of features and security improvements that Google delivered over the years. On the latter, Google does a tremendous job at trying to catch email spam automatically and reduce the risk of hackers taking advantage of users. To that end, Google recently introduced a new blue checkmark security feature that's similar to Twitter Blue.
The blue indicator should appear next to email coming from genuine companies. It should bring peace of mind to Gmail users and increase their security further. But you shouldn't trust the Gmail blue checkmarks yet. It turns out there's a big security flaw that hackers are exploiting right now. They found a way to fool Gmail's security system, and this will increase the risk of phishing attacks.
Google will fix the security flaw, but it might take time for the patch to roll out.
Google introduced the Gmail blue checkmark in early May, and you might have seen it in emails from the companies you're dealing with online frequently. The checkmark is built on Google's Brand Indicators for Message Identification (BIMI). This feature "requires senders to use strong authentication and verify their brand logo in order to display a brand logo as an avatar in emails."
The blue logo should "help users identify messages from legitimate senders versus impersonators."
But researcher Chris Plummer discovered that hackers can abuse the feature. As a result, fraudulent emails featuring a company's official logo and the Gmail blue checkmark might hit your inbox. Like this one:
There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as "won't fix – intended behavior". How is a scammer impersonating @UPS in such a convincing way "intended". pic.twitter.com/soMq7KraHm
— it's Chris Plummer (@chrisplummer) June 1, 2023
It looks like a genuine email from UPS. But it's not. A look at that domain name following the "@ "symbol should make you question it. Furthermore, if the suspicious UPS email asks you for personal information to deliver a package, you shouldn't provide it.
Hackers might want to steal information like your address, birth date, and social security number. In turn, they might use this information for other nefarious activities resulting in additional harm.
Plummer contacted Google to detail the security issue, but the company initially dismissed his concerns.
The sender found a way to dupe @gmail's authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn't want to deal with this report honestly.
— it's Chris Plummer (@chrisplummer) June 1, 2023
Thankfully, Google changed its mind. The Gmail blue checkmark security issue is now a severe, high-priority bug that Google will patch.
Here's Google's updated answer to Plummer:
After taking a closer look we realized that this indeed doesn't seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.
We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this!
It's unclear how long it'll take for Google to repair this particular bug. Until then, you shouldn't trust those blue checkmarks that appear in Gmail. Maybe not even after that. Just keep checking that the sender's address doesn't look fishy. And continue to never offer personal information over email. Also, you should contact a company's customer care and see if the email you've just received is genuine.
Finally, while you're using Gmail, you should go through Google's privacy and security checkups.