There’s a new Gmail scam getting viral on the Internet as cybercriminals are taking advantage of the recently introduced verification mechanism.
In May 2023, Gmail launched a blue check mark verification system to resist common internet scams like phishing attacks. Companies and organisations can apply to the program to verify their identity, and after the verification process is improved, the aforementioned blue check mark will appear next to the company logo in Gmail. However, the verification mechanism which was introduced to avoid phishing is now used by the bad actors themselves. On Twitter, a cybersecurity engineer, Chris Plummer, posted an image of a fake email claiming to be officially from UPS. The fraudster itself managed to pass through Google’s security measures; however, it is still unknown how the cybercriminal went through the Google checks.
Although, it was not difficult to recognize the fake email. According to Plummer, the header had an email address with a UPS URL at the end, primarily made up of random letters and digits. However, according to the blue check verification box that appears when you mouse over the checkmark, the email is coming from a reliable source. Later, Plummer submitted a bug report with the Email after observing a fraudster sending a verified Email pretending to be UPS. Plummer’s report was initially denied by Google, which claimed that since “this is intended behaviour,” the fault would not be fixed.
There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as “won’t fix – intended behavior”. How is a scammer impersonating @UPS in such a convincing way “intended”. pic.twitter.com/soMq7KraHm— plum (@chrisplummer) June 1, 2023
Later, Google made an about-face and mailed it back to Plummer that they are currently working on it. The Email reads,
After taking a closer look we realised that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on. We apologise again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this! We’ll keep you posted with our assessment and the direction that this issue takes. Regards, Google Security Team.
How to Not Get Scammed?
After Plummer reported the bug, Google announced the bug as P1 which means it is a top-priority fix; however, we don’t know when the patch will roll out. To protect yourself from phishers, TechRadar has complete guides on how to avoid online phishing. Also, we recommend you double-check the header of the Email, if it includes random letters, symbols, or numbers, then something is fishy. Next, you should also go through the spelling in the header. Some cybercriminals will replace certain characters with their lookalike to scam people. For instance, the letter “O” will be swapped to the number “0” and the capital “I” will be changed to a lowercase “l” (that’s an “L”). You may find it difficult to understand due to Gmail’s default font.
Be aware of any Emails which ask you about your bank or financial information and don’t click on any attachments which you don’t recognize.