Alert for a new scam campaign carried out from Gmail due to an error in Google’s new email verification system where cybercriminals are using the blue tick to impersonate real companies and steal money and personal information.
It was about a month ago that Google announced the introduction of blue verification ticks, which, as with Twitter or other social networks, serves to identify (in this case) real and legitimate companies with the main objective of thus avoiding impersonations, spam and deception.
But, unfortunately, it only took a month for this plan to go awry, since according to what this user discovered and denounced from Twitter, there is an error that allows cybercriminals to Bypass Gmail controls and receive verification despite not being the organization they claim to be.
There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @Google lazily closed as “won’t fix – intended behavior”. How is a scammer impersonating @UPS in such a convincing way “intended”. pic.twitter.com/soMq7KraHm
— plum (@chrisplummer) June 1, 2023
The example given is a fake email impersonating the UPS parcel company, and while it has the logo and the blue tick, we can realize that it is false because the sender’s email address is suspicious and apparently it has nothing to do with the company.
After identifying this error, the user notified the company of what had happened, who at first did not pay much attention and described it as “intended behavior”, although after analyzing it carefully they concluded that it was not a generic vulnerability. and that they would further investigate this case.
The normal thing when a user discovers an error, failure or vulnerability in the Google ecosystem is that the company rewards him in some way, however, in this case the user had to settle for a “thank you”.
How to avoid email scams
The first thing is always to check the legitimacy of the sender, for this note that the name is not suspicious and? have something to do with the company what it claims to represent In turn, if the email contains files, links or documents, it is better than check its authenticity before doing anything with it.
Other aspects to pay attention to, although they do not always have to mean that an email is legitimate, is that the email is misspelled or misspelled or you can also check that the link has HTTPS security.
Finally, it is always more than recommended that activate double access authentication to make registrations, in this way you add another layer of security to prevent someone from entering your Gmail account.
Twitter
Linkedin
