What you need to know
- A cybersecurity engineer discovered a scammer posing as the official UPS email account for package information.
- Google denied the possibility of a problem before responding, apologizing, and stating it would investigate.
- Gmail's verified blue checkmarks were implemented to ensure users can trust who is sending them authentic information without worrying about scammers.
A feature that was brought in to help weed out the problematic ones is turning into an issue itself as scammers have found a way to dupe Gmail's new verification system. Cybersecurity engineer Chris Plummer posted an alarming discovery on Twitter, displaying a scammer posing as the official UPS email account (via Android Police).
Plummer explained the email they received went from "a Facebook account, to a UK netblock, to O365, to me."
"Nothing about this is legit," Plummer stated. "Google just doesn’t want to deal with this report honestly." Apparently, after contacting Google about the obvious spoof in the verification mark, the Mountain View company denied any problem, delivering a response that stated, "won’t fix - intended behavior."
There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as “won’t fix - intended behavior”. How is a scammer impersonating @UPS in such a convincing way “intended”. pic.twitter.com/soMq7KraHmJune 1, 2023
However, since the tweet went up and promptly gained traction, Google replied to Plummer once more about the subject. The Google Security Team stated, "After taking a closer look we realized this indeed doesn't seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on."
Unfortunately, the engineer had to go through the run-around like this, considering the actual UPS email they received for their package was from "firstname.lastname@example.org" while the duped one was "rvrERch5@kelerymjrlnra.ups.com."
Hopefully, Google can get this problem under control before it becomes a more worrying issue for users. As previously stated, these verified checkmarks help users weed out what should be trusted and what should be discarded.
Twitter recently went through a similar thought process with the reintroduction of its Blue subscription service, which also saw its share of imposter profiles. The company rolled out an "Official" label for accounts that are truly the real deal (verified) so users can differentiate information between an official source and someone who just purchased a blue tick.
Google outlined its own version of blue checkmarks at the beginning of May. The company stated the marks would identify "legitimate email senders."
The system uses Google's BIMI system to determine a sender's legitimacy. While personal accounts probably won't get these check marks, your business (if set up) would have one so users can trust it. Additionally, trust is what this system is supposed to invoke, but wavering when something comes up looking fishy isn't a good start. Google should hopefully rectify the problem soon so users can have peace of mind with a system that was designed to do so.