Gmail’s blue checkmarks are widely abused by scammers

You can now get a blue check mark on Gmail to prevent fake mail. Although it is purely intended to keep scammers out, it appears that the blue tick has been used by these malicious internet users since day one.

Gmail

The idea was that you could recognize an e-mail with a blue checkmark as an ‘official’ e-mail, a real one, but it now appears that it actually doesn’t work at all. Scammers have long since figured out how to fool you. The idea was that companies used that check mark to show that it was an official marketing email from that company, such as a newsletter, but it turns out that you cannot assume that at all.

A cybersecurity specialist from Dartmouth Health says you can just fake that fancy badge. Those emails apparently do not go through the Brand Indicators for Message Identification system (BIMI) or the Domain-based Message Authentication, Reporting and Conformance (DMARC), because those are the official ways to get this logo (with another Verified Mark Certificate on top). How they managed that, the expert does not share, and that’s a good thing: it has already remained unreliable, but if everyone gets the keys to the kingdom, the end is completely lost.

=https://twitter.com/chrisplummer/status/1664075886545575941″ data-service=”twitter”>

Related articles

Fake badges

For example, there is already an email in which the UPS logo and domain (UPS.com) is used to create fake emails. Of course from a courier service or postal service, because that is what many people seem to fall for. Although you would think that Google finds this extremely annoying, the bug report of the expert was initially regarded as: ‘this is how it should work’, fortunately Google has now reopened the ‘case’. What that means, however, is somewhat vague: is it working on a fix? Is there a solution? Let alone that there is a deadline by which it must be remedied.

Fortunately, Google has said something more by now. It would be due to a weakness in a third party and therefore senders must use the DKIM (DomainKeys Identified Mail) standard to get the blue badge. This is a new requirement rolling out at the end of this week. So it is not so much a solution to the old problem, but a new way to make the blue badges okay.

Have you ever been bothered by unofficial emails with blue badges? Leave it now in the comments.