Gmail Verification System hit by Scammers – How to Avoid Falling Victim
In May, Google began verifying users with a blue checkmark system. The goal of the new verification system is to thwart attempts from threat actors to scam you via methods like phishing attacks. The very system that is designed to make things more safe and secure is actually being targeted by threat actors.
Organizations who apply to the program to have their identity verified will receive a blue checkmark next to their name once it is approved. However attackers are apparently finding a way to get past Google safeguards, and some users are receiving fraudulent emails from accounts whose verification has been approved. Chris Plummer, a Cybersecurity Engineer posted an image on twitter that he received of a fraudulent email that was claiming to be from UPS.
Plummer easily identified the email as spam, noting that the header has an email in there that was clearly not legitimate. However, the checkmark next to the name of the organization displayed a message once hovered over that stated that the email was coming from a legitimate source.
Plummer disclosed that scammers are exploiting a bug in Gmail’s “authoritative stamp of approval”. Next, they can travel through multiple domains before selecting a target.
Plummer reported the issue to Google, and they initially said that the program was working as it should. In the days since, they’ve backtracked and have announced they’re working on a fix.
So how can you protected yourself from this bug until Google releases a fix? For one, check the header of the email. If the email seems suspicious, especially if there a lot of random letters and numbers in it, it’s probably not legitimate. Additionally, look for misspellings with similar characters. Sometimes scammers will try to trick people by using the number “0” instead of the letter “O” along with other clever options. Also, if the email is asking you to give up personal information like bank info or your social security number, that can be considered another red flag. Finally, do not click on links or attachments you don’t recognize.
Story via TechRadar