Millions of Gmail users warned over scam exploiting potential bug in Google feature

The little blue tick isn’t just for Twitter, the verification checkmark was also rolled out by Gmail in 2021 — and it hasn’t taken scammers long to exploit the process.

Cyber threat actors have managed to create verified accounts by impersonating real Businesses, making it even harder to detect email scams sent directly to Gmail inboxes.

When you hover over a sender’s business logo and blue checkmark in your inbox, a small box will pop up reading: “The sender of this email has verified that they own (business domain URL) and the logo in the profile image.”

Watch the latest News on Channel 7 or stream for free on 7plus >>

But look closely at that URL because an illegitimate domain name could be an indication that it’s not actually the trusted sender who they say they are.

Cybersecurity engineer Chris Plummer spotted an example of this in an email from a scammer impersonating American postal service UPS last Thursday and flagged the flaw with Google.

“There is most certainly a bug in Gmail being exploited by scammers to pull this off,” he tweeted.

After reporting the bug, Plummer said it was initially dismissed as “intended behaviour” by Google.

“How is a scammer impersonating UPS in such a convincing way ‘intended’?” Plummer tweeted.

“The sender found a way to dupe Gmail’s authoritative stamp of approval, which end users are going to trust.

“This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit.

“Most users will implicitly trust a little blue seal. It shouldn’t be a thing.”

His social media post went viral, and Plummer pressed Google’s security team to take further action.

Google then responded with an acknowledgement of the Gmail vulnerability, reportedly reopening the matter to a high-priority investigation.

Two days after the UPS scam was spotted, and the was bug flagged with Google, Cybersecurity consultant Christoph Dary also reported that UPS had withdrawn the authorisation of Microsoft IPs from its Sender Policy Framework (SPF).

An SPF record informs mailbox providers which IP addresses and domains are authorised to send emails on the behalf of a domain.

“This is probably no coincidence,” Dary tweeted.

Another tech consultant specialising in emails on Wednesday tweeted claims that visibility for the verified checkmark had been disabled for a number of accounts.

The breach comes at a time when scammers are increasingly impersonating government agencies, banks, postal services and trusted brands, draining the bank accounts of their victims as a result, according to the ACCC.

Dary wrote: “This type of flaw is doubly devastating: it makes it possible to distribute perfect phishing, with all the appearances and certifications of real emails from the real domain.

“It (also) casts doubt on the effectiveness of the protocols.”

Google told 7NEWS.com.au in a statement how the authentication process is changing as a result: “This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are.

“To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.”