When Gmail rolled out blue checkmarks last month, the move was framed as an extra level of security, allowing users to easily identify emails from legitimate sources.
However, it seems that some scammers are able to easily spoof accounts, and display the blue checkmark themselves, according to security experts who have raised the alarm. Email threats are nothing new, but this is a new slant that we haven't seen before.
Despite a slow start in taking the threat seriously, Google has now promised to take action, in the shape of a future patch.
Gmail’s New ‘Security’ Feature, BIMI
As the California-based company explained on its Google Workspace Updates blog in May, Google introduced BIMI (Brands Indicator for Message Identification), a system whereby companies could verify their brand identity and logo.
“Users will now see a checkmark icon for senders that have adopted BIMI. This will help users identify messages from legitimate senders versus impersonators,” the company explained in its blog.
It's a move that apes Twitter's checkmark of old, although ironically the legitimacy of Elon Musk's tick has been called into question recently, given the numerous changes it has been through, and the fact that anyone can just buy one these days.
Google's checkmark was hailed as a welcome move that protected both organisations and their admins as well as end users, but it seems that this feature – rolled out fully last month – is open to hackers, according to security experts.
Gmail Checkmark Used by Scammers
The cybersecurity loophole was first noticed by Twitter user and infosec professional Chris Plummer (@chrisplummer), who reported a “bug” (it was actually a scammer impersonating UPS) to Google. However, according to Plummer, Google did not take the threat seriously when he alerted them.
It seems that although the checkmark is intended to identify legitimate businesses, some scammers have been able to spoof company email addresses, and display the checkmark themselves, tricking users into thinking a scam email is the real deal.
Whether this is a bug that needs to be run through the troubleshooting team, or an actual quirk of the BIMI offering, remains unclear. Once Plummer’s tweet was picked up by major news corps and finance and tech blogs, Google finally got wind of it and their generic response to his complaint turned into a fawning thank you reply. The latest update, according to reporting by Fortune, is that Google is making this fix a priority, and will be issuing a patch for it shortly.
Penetration testing and cybersecurity pro Jonathan Rudenburg goes into the detail of how the bug worked in hackers’ favour in the first place – and has this to say about Google’s disastrous new blue check mark: “BIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.”
For now, it’s safe to say that the safest way to interact with Gmail accounts is to not trust anything that comes through with that little blue emblem.
If you're looking for an extra layer of protection when it comes to email, antivirus software is able to spot and isolate potentially dangerous messages and their attachments.