All 1.8 billion active Gmail users need to read this warning to prevent getting ripped off
No matter where you use Gmail, if you use Google's email app or website, a tweet from cybersecurity engineer Chris Plummer (via Forbes) should serve as an alert and wake-up call. It all starts with a checkmark system that Google introduced last month. Designed to verify emails supposedly sent by legitimate corporations and organizations, an email in your Gmail inbox with a blue checkmark was supposed to indicate that you can safely open the missive without worrying about getting scammed, spammed, or hacked.
Thanks to a bug, scammers can get Gmail to verify their fake email by having a blue checkmark appear
The aforementioned Plummer discovered a way for bad actors to have a blue checkmark "verify" their phished gmail. Plummer submitted a bug report with Google after spotting a scammer sending a verified email impersonating UPS. The email even included the iconic UPS shield icon. Google at first rejected Plummer's submission saying that it won't fix the bug since 'this is intended behavior. As Plummer asks in his tweet, "How is a scammer impersonating @UPS in such a convincing way 'intended?'
Despite the blue checkmark and the UPS shield icon, this Gmail is a scam and did not come from UPS
But Google quickly did an about-face and sent Plummer the following, "After taking a closer look we realized that this indeed doesn't seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on. We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this! We'll keep you posted with our assessment and the direction that this issue takes. Regards, Google Security Team."
Google has now made this flaw a P1 which means it is a top-priority fix. But until it is fixed, Gmail users need to be on the lookout for verified Gmail that is not from the company that it claims to be from. As always, do not click on any links and certainly do not give away any information such as social security numbers, credit card numbers, expiration dates, and security codes.
Fixing this Gmail bug is now a P1 highest priority task for Google
If you receive what seems like an important email in your Gmail inbox and it is verified with a blue checkmark, call the company using a phone number you've obtained from Google. Do not call a phone number that is written in the letter. Since this is a high-priority fix for Google now, let's hope the bug is exterminated before anyone gets ripped off. And the odds are good that at least some users will lose some money with this scam since there are over 1.8 billion active Gmail users this year.
This is how a bad actor can use this bug to clean out your bank account
Let's look at how this could rip you off. Say you receive an email from UPS that has a blue checkmark and it says that you are about to receive a package. The letter might say that UPS needs some information to verify your identity. With the verifying checkmark on your mind, you agree to respond with some personal information that "UPS" says it needs to deliver your package. So you send them your birthdate, social security number, and your bank account and/or credit card information. You can imagine what someone with malicious intent can do with all of that information.
Most companies these days will not send you texts or emails with links. Most will not ask for any of the information we mentioned above. And even when Google does exterminate this bug, a blue checkmark does not give you card blanche for spewing out personal information that can cost you your hard-earned money. And the speed at which a scammer can take your personal information and run up your credit cards, clean out your bank account, hijack your wireless account, and lock you out is incredible.
The best thing to do is to maintain a very cautious attitude and be alert blue checkmark or no blue checkmark!
Things that are NOT allowed: