Don’t Get Scammed By a Blue Check on Gmail

Google recently rolled out blue checkmarks for some companies to use with Gmail. These badges were intended to prove to you that the sender in your inbox was who they said they were, and not just a scammer, similar to how these checkmarks work on other social media platforms. Unfortunately, scammers have already cracked the code.

So, how are these checkmarks supposed to work? In normal use, Google uses something called a VMC, or a Verified Mark Certificate, to authenticate that a sender is who they say they are. Google knows you’re a verified person, then takes that info and rolls it into its BIMI (Brand Indicators for Message Identification). This final system is what allows Google to confidently display a sender’s logo in their message to you.

When all that is in alignment, you’ll not only see the company logo next to a message, but also the blue checkmark confirming this person is legitimate. It’s supposed to offer some peace of mind that you aren’t sharing correspondence with a scammer.

However, one researcher noticed that obvious spam was still using legitimate company logos and attaching blue checkmarks to their messages. You might receive an email that features a UPS logo and a blue check, but the email address in questions is fake beyond a doubt, as the name is simply a jumble of letters and numbers.

According to Google, this is possible due to “a third-party security vulnerability allowing bad actors to appear more trustworthy than they are. As Android Police notes, “Since UPS trusted Microsoft to send emails on its behalf, when Gmail saw the incoming message that a scammer directed through a Microsoft server, this was viewed as a legit, BIMI-compliant way for a UPS email to arrive — even despite the presence of that garbage-sounding spoofed subdomain.”

All that to say, don’t trust a company logo or a blue check means the sender in your inbox is legitimate. They may very well still be a scammer looking to compromise your data or the data of your business.