Scammers are now sending phishing emails on Gmail with verified checkmark

Google introduced a blue verified checkmark for Gmail to combat phishing emails and attackers impersonating businesses. However, it seems like scamsters have got their way around the safety mechanism thereby impersonating verified blue checkmark on phishing emails.

Earlier last month, Google introduced a blue verified checkmark on Gmail for organizations and companies that have been verified. The feature uses signals such as Brand Indicators for Message Identification (BIMI), Verified Mark Certified (VMC), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to put a blue-colored verified checkmark against emails of businesses to signal that it is legit.

With the latest information coming from cybersecurity engineer Chris Plummer, scammers have been able to bypass Google’s verified checkmark feature thereby impersonating businesses such as UPS in the tweet tagged below. For the unversed, the screenshot shows the UPS logo along with a notification stating that “kelerymjrlna.ups.com” is a verified email. There’s a blue-colored verified checkmark on the email as well.

Having a verified check mark against unauthorized emails will make it difficult for users to detect phishing attacks. It can open a whole new avenue for scammers to attack innocent users who might click on emails and links before ending up being phished.

However, when reported, Google tagged the bug as “won’t fix – intended behavior” and closed it lazily without any further resolution. It means if more attackers get to know the bug, they will use it to send phishing emails leading to a catastrophe. It is an irony given the fact that Google’s blue verified checkmark feature was introduced to end phishing emails.