Google has introduced new blue verified check marks for Gmail addresses. According to Google, the new feature helps protect inboxes against malicious and unwanted emails and increases confidence that those emails are from legitimate sources. Gmail users who added Google’s Brand Indicators for Message Identification (BIMI) feature will now see a check mark icon instead of the verified brand logo.
Creating a verification process makes sense — until hackers and spammers decide to make it their mission to find flaws in the capability. Bypassing blue check marks will be another chapter in the long history of business email compromise schemes designed to propagate malicious code. By sending out emails with impersonated blue check marks, legacy security protection layers will likely pass the message to the suspecting victims.
Another Layer of Protection or Just Another Layer?
Hackers can create fake email accounts that look like they have been verified by Google. They can create a new account and then use a tool to generate a fake verification badge. Once the account has been created, the hacker can then send phishing emails or other malicious messages that appear to come from a legitimate source.
Hackers can use social engineering to trick users into revealing their passwords. They can send emails that appear to be from a legitimate source, such as a bank, government agency, or customer service representative. Or they may create a message that offers a free gift or discount. The email typically will contain a link that takes the user to a fake website that looks like the real thing. Once the user enters their login credentials, the hacker can then use them to access the user’s Gmail account.
Hackers can use malware to steal login credentials. This can be done by sending emails that contain attachments infected with malware. Once the user opens the attachment, the malware will be installed on their computer. The malware can then be used to steal the user’s login credentials for Gmail and other online accounts.
Also, don’t be surprised when hackers send phishing emails with an artificial Gmail verification process to potential victims, fooling them into thinking they’re helping them earn their blue check marks and stealing their credentials instead.
Creating accounts impersonating a domain and a user isn’t something new. Email impersonation, especially with recently established email-sending domains, continues to create havoc with organizations trying to avoid email phishing attacks. Hackers have made these accounts and placed a fake verified badge to fool the receiving email user.
Integrating Security Layers Continue to Be a Proven Strategy
To contend with this new attack vector, organizations must invest in security solutions, including DMARC, SPF, and DKIM for domain authentication, sandboxing all attachments, and leveraging threat intelligence to help stop malware.
Using passwords with multifactor authentication, leveraging one-time passwords, biometrics, and even challenge and reply tokens could help businesses protect its data while standardizing a universal authentication strategy across the company.
The continuous investment in security as a platform instead of bolting on a new control layer is a wise move. With every innovative way to stop hackers from impersonating, stealing data, and spreading malware, there will be an element of exploitation the hackers will soon discover.
Security platforms using agile and DevOps rapid deployment can quickly add additional protection layers without the everyday user experience. Through the rapid deployment of features, security providers can respond quickly to changing threat landscape without causing service outages or exposing organizations to other attack vectors.
Google’s new verified blue check mark feature is just one layer of security. It is important to use other security measures, such as strong passwords and multifactor authentication, to protect your Gmail account. And companies must continue to invest in end-user education and security awareness training to make sure those verified emails actually come from authentic people.