It’s no secret that over the past few years, Google has been actively working to prevent phishing email scams. And in line with these efforts, the company recently introduced a new feature in Gmail called Brand Indicators for Message Identification (BIMI), which allows companies to verify their identities and add a blue checkmark, giving users an extra layer of protection against scammers. However, it looks like threat actors have already found a way to exploit this system, raising some serious concerns.
The issue was first discovered by cybersecurity engineer Chris Plummer, who found that threat actors were able to deceive Gmail’s authentication systems, which allowed them to masquerade as legitimate senders and bypass security checks. As a result, Plummer quickly reported the bug to Google in the hope that it would investigate this critical flaw. Unfortunately, Google closed the report, claiming it was “intended behavior.” Frustrated by this response, Plummer took to Twitter to share his findings, where the report quickly gained attention and caused widespread distress and concerns.
“There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which Google lazily closed as “won’t fix – intended behaviour”. How is a scammer impersonating UPS in such a convincing way intended,” said Plummer on Twitter.
Widespread Concerns
While Google is yet to issue a statement regarding Plummer’s report, the collective outcry on social media might prompt the company to reevaluate its initial dismissal of the issue. This is because, as users, we rely on these verification systems to safeguard our online interactions, and the ability to differentiate between genuine and fraudulent sources is crucial in protecting our personal information and avoiding scams.
However, until Google releases a fix, users should remain vigilant and take additional measures to protect themselves from potential scams. These measures include being cautious of emails asking for sensitive information, refraining from opening suspected links, double-checking email addresses, and enabling 2FA.