Gmail Security Checkmark Is Being Spoofed by Scammers

Google's new blue checkmark can be easily abused by scammers, according to security experts.

When Gmail rolled out blue checkmarks last month, the move was framed as an extra level of security, allowing users to easily identify emails from legitimate sources.

However, it seems that some scammers are able to easily spoof accounts, and display the blue checkmark themselves, according to security experts who have raised the alarm. Email threats are nothing new, but this is a new slant that we haven’t seen before.

Despite a slow start in taking the threat seriously, Google has now promised to take action, in the shape of a future patch.

Gmail’s New ‘Security’ Feature, BIMI

As the California-based company explained on its Google Workspace Updates blog in May, Google introduced BIMI (Brands Indicator for Message Identification), a system whereby companies could verify their brand identity and logo.

“Users will now see a checkmark icon for senders that have adopted BIMI. This will help users identify messages from legitimate senders versus impersonators,” the company explained in its blog.

Get your data back

With Incogni from Surfshark, you can reclaim your data today!

It’s a move that apes Twitter’s checkmark of old, although ironically the legitimacy of Elon Musk’s tick has been called into question recently, given the numerous changes it has been through, and the fact that anyone can just buy one these days.

Google’s checkmark was hailed as a welcome move that protected both organisations and their admins as well as end users, but it seems that this feature – rolled out fully last month – is open to hackers, according to security experts.

Gmail Checkmark Used by Scammers

The cybersecurity loophole was first noticed by Twitter user and infosec professional Chris Plummer (@chrisplummer), who reported a “bug” (it was actually a scammer impersonating UPS) to Google. However, according to Plummer, Google did not take the threat seriously when he alerted them.

It seems that although the checkmark is intended to identify legitimate businesses, some scammers have been able to spoof company email addresses, and display the checkmark themselves, tricking users into thinking a scam email is the real deal.

Whether this is a bug that needs to be run through the troubleshooting team, or an actual quirk of the BIMI offering, remains unclear. Once Plummer’s tweet was picked up by major news corps and finance and tech blogs, Google finally got wind of it and their generic response to his complaint turned into a fawning thank you reply. The latest update, according to reporting by Fortune, is that Google is making this fix a priority, and will be issuing a patch for it shortly.

Penetration testing and cybersecurity pro Jonathan Rudenburg goes into the detail of how the bug worked in hackers’ favour in the first place – and has this to say about Google’s disastrous new blue check mark: “BIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.”

For now, it’s safe to say that the safest way to interact with Gmail accounts is to not trust anything that comes through with that little blue emblem.

If you’re looking for an extra layer of protection when it comes to email, antivirus software is able to spot and isolate potentially dangerous messages and their attachments.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Originally from Los Angeles, Sarah has lived and worked in four countries, and now calls sunny Manchester (the UK one, not the US one) home. Since her post-grad with the NCTJ in Journalism she's written for national and trade titles across the world, covering everything from construction and hospitality to tech and travel. Her special interest areas are AI and automation, cybersecurity, quantum computing and cats.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals