Click to Skip Ad
Closing in...

Don’t trust Gmail’s blue checkmarks because some hackers might abuse them

Published Jun 5th, 2023 6:50AM EDT
gmail icon
Image: Fabian Sommer/picture alliance via Getty Images

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Gmail is the most popular email service in the world, thanks to a variety of features and security improvements that Google delivered over the years. On the latter, Google does a tremendous job at trying to catch email spam automatically and reduce the risk of hackers taking advantage of users. To that end, Google recently introduced a new blue checkmark security feature that’s similar to Twitter Blue.

The blue indicator should appear next to email coming from genuine companies. It should bring peace of mind to Gmail users and increase their security further. But you shouldn’t trust the Gmail blue checkmarks yet. It turns out there’s a big security flaw that hackers are exploiting right now. They found a way to fool Gmail’s security system, and this will increase the risk of phishing attacks.

Google will fix the security flaw, but it might take time for the patch to roll out.

Google introduced the Gmail blue checkmark in early May, and you might have seen it in emails from the companies you’re dealing with online frequently. The checkmark is built on Google’s Brand Indicators for Message Identification (BIMI). This feature “requires senders to use strong authentication and verify their brand logo in order to display a brand logo as an avatar in emails.”

The blue logo should “help users identify messages from legitimate senders versus impersonators.”

But researcher Chris Plummer discovered that hackers can abuse the feature. As a result, fraudulent emails featuring a company’s official logo and the Gmail blue checkmark might hit your inbox. Like this one:

It looks like a genuine email from UPS. But it’s not. A look at that domain name following the “@ “symbol should make you question it. Furthermore, if the suspicious UPS email asks you for personal information to deliver a package, you shouldn’t provide it.

Hackers might want to steal information like your address, birth date, and social security number. In turn, they might use this information for other nefarious activities resulting in additional harm.

Plummer contacted Google to detail the security issue, but the company initially dismissed his concerns.

Thankfully, Google changed its mind. The Gmail blue checkmark security issue is now a severe, high-priority bug that Google will patch.

Here’s Google’s updated answer to Plummer:

After taking a closer look we realized that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.

We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this!

It’s unclear how long it’ll take for Google to repair this particular bug. Until then, you shouldn’t trust those blue checkmarks that appear in Gmail. Maybe not even after that. Just keep checking that the sender’s address doesn’t look fishy. And continue to never offer personal information over email. Also, you should contact a company’s customer care and see if the email you’ve just received is genuine.

Finally, while you’re using Gmail, you should go through Google’s privacy and security checkups.

Chris Smith Senior Writer

Chris Smith has been covering consumer electronics ever since the iPhone revolutionized the industry in 2008. When he’s not writing about the most recent tech news for BGR, he brings his entertainment expertise to Marvel’s Cinematic Universe and other blockbuster franchises.

Outside of work, you’ll catch him streaming almost every new movie and TV show release as soon as it's available.