Just last month, Google introduced a brand new system aimed at helping its billions of users spot genuine emails from those that are fake. The upgrade, which is a lot that found on Twitter, uses a new blue tick-style system to easily show that emails have come from a verified source and not a scammer trying to fleece their victims.
It makes perfect sense as when a message drops into an inbox, a quick glance shows the account is real and can be instantly trusted. However, it seems this system may not be foolproof and it could actually make spotting scams even harder.
Cyber security engineer Chris Plummer says he has spotted a glitch that allows crooks to trick Gmail into placing a blue tick on fake emails.
He's even posted an image of a forged UPS delivery message that features the verification symbol alongside an official-looking logo. At first glance, it appears that the message about a parcel needing to be delivered is real but dig a little deeper and it's clear that the correspondence hasn't come from the courier company.
Quite how cyber crooks are making this happen remains unclear but Plummer has now submitted his finding to Google. Although the technology giant dismissed it at first, they have now assigned a team to the flaw and have given it a top priority rating.
“After taking a closer look we realized that this indeed doesn't seem like a generic SPF vulnerability," Google said in a message to Plummer.
"Thus we are reopening this and the appropriate team is taking a closer look at what is going on. We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this!
"We'll keep you posted with our assessment and the direction that this issue takes."
Until more is announced about the glitch, it's definitely worth double-checking all of your emails even if they include that verified symbol as all may not be what it seems.
The blue tick update was made possible via Brand Indicators which were first introduced back in 2021. In a blog post, Google confirmed: "Building upon that feature, users will now see a checkmark icon for senders that have adopted BIMI. This will help users identify messages from legitimate senders versus impersonators.
"Strong email authentication helps users and email security systems identify and stop spam, and also enables senders to leverage their brand trust. This increases confidence in email sources and gives readers an immersive experience, creating a better email ecosystem for everyone."
Clearly, the latest news that this system can be abused is worrying but expect Google to push out updates to make it more secure in the future.
