It’s a move that apes Twitter’s checkmark of old, although ironically the legitimacy of Elon Musk’s tick has been called into question recently, given the numerous changes it has been through, and the fact that anyone can just buy one these days.
Google’s checkmark was hailed as a welcome move that protected both organisations and their admins as well as end users, but it seems that this feature – rolled out fully last month – is open to hackers, according to security experts.
Gmail Checkmark Used by Scammers
The cybersecurity loophole was first noticed by Twitter user and infosec professional Chris Plummer (@chrisplummer), who reported a “bug” (it was actually a scammer impersonating UPS) to Google. However, according to Plummer, Google did not take the threat seriously when he alerted them.
It seems that although the checkmark is intended to identify legitimate businesses, some scammers have been able to spoof company email addresses, and display the checkmark themselves, tricking users into thinking a scam email is the real deal.
Whether this is a bug that needs to be run through the troubleshooting team, or an actual quirk of the BIMI offering, remains unclear. Once Plummer’s tweet was picked up by major news corps and finance and tech blogs, Google finally got wind of it and their generic response to his complaint turned into a fawning thank you reply. The latest update, according to reporting by Fortune, is that Google is making this fix a priority, and will be issuing a patch for it shortly.
Penetration testing and cybersecurity pro Jonathan Rudenburg goes into the detail of how the bug worked in hackers’ favour in the first place – and has this to say about Google’s disastrous new blue check mark: “BIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.”
For now, it’s safe to say that the safest way to interact with Gmail accounts is to not trust anything that comes through with that little blue emblem.
If you’re looking for an extra layer of protection when it comes to email, antivirus software is able to spot and isolate potentially dangerous messages and their attachments.
