The blue checks on Gmail were supposed to stop the scams, but it seems that hackers have already figured out how to exploit them to their advantage. For this, it seems that Google has prepared some new features to improve this feature.
Gmail, blue ticks don’t block scams: changes coming soon
Blue checks have arrived in Gmail for thwart phishing emails and increase customer trust. And they exploit the method BIMI (Brand Indicators for Message Identification)a standard that allows companies to display the own logo next to the “sender” field in verified emails.
To do that though, you need to get one VMC (Verified Mark Certificate), a digital certificate confirming that the logo actually belongs to the company and its domain. A certificate issued by two certificate authorities: DigiCert ed Entrust.
A computer security expert discovered that it is possible to fake these blue checkmarks using an unauthorized logo. This means that scammers could exploit a flaw in Gmail’s verification system to deceive people and steal their personal or financial information.
The expert does not explain how the scammers managed to evade the system, but shows an example of an email, with more details, which used the UPS logo with a domain that contained “ups.com” to simulate a check mark on a clearly fake email.
To repair, Google will require senders to use DomainKeys Identified Mail (DKIM) authentication standard to get the blue checkmarks. This new requirement will go live by the end of this week.