A new Gmail scam is making the rounds online, with bad actors exploiting the service’s recently launched verification system. Google introduced blue checkmark verification in May to combat internet scams like phishing attacks. However, scammers have found a way to use this system to target unsuspecting users. Cybersecurity engineer Chris Plummer recently shared on Twitter an image of a spoofed email, claiming to be from UPS, which somehow managed to bypass Google’s safeguards.
The scam relies on a bug in Gmail, allowing scammers to trick users with a seemingly legitimate email. While the header may display an email address consisting of random letters and numbers, the presence of the blue checkmark might mislead users into believing it is from a verified source. It remains unclear how the bad actors are circumventing Google’s security checks, but they are leveraging multiple domains to reach their targets.
Initially, when Plummer reported the issue to Google, the company dismissed it, claiming that the system was functioning correctly. However, in light of this discovery, Google has now acknowledged the problem and announced that they are actively working on a fix.
To protect yourself from falling victim to this scam, it is essential to remain vigilant until the patch is implemented. TechRadar has comprehensive guides on avoiding online phishing scams and safeguarding your inbox, which we strongly recommend reading. In the meantime, here are some key pieces of advice to help you get started:
- Double-check the header: If the email address consists of random letters, numbers, or symbols, it is likely a sign of a phishing attempt.
- Verify the spelling in the header: Scammers may replace certain characters with lookalikes to deceive users. Pay close attention to characters like “O” (replaced with “0”) or “I” (replaced with “l”). Gmail’s default font can make these substitutions hard to spot.
- Exercise caution with requests for financial information: Be skeptical of emails urging you to update your account details or offering unexpected refunds. Avoid sharing sensitive financial information unless you initiated the request.
- Don’t click on unfamiliar links or attachments: Be cautious when encountering links or attachments in emails from unknown sources. Avoid clicking on them to mitigate the risk of malware or phishing attempts.
Remaining vigilant and implementing these precautionary measures will help safeguard your online security while Google works on resolving the issue.