about a month agoGoogle has started showing blue ticks on some Gmail messages. In particular, the default approach is that this symbol, which indicates that the identity of the sender has been verified, serves to distinguish more quickly whether the message is legitimate or, on the contrary, we are facing an attempted attack based on identity theft (phishing). a technique that, according to several studies, is the origin of most social engineering attacks. And as surprising as it may seem to some, phishing is still quite effective in certain contexts.

Gmail blue check fIt is part of the Brand Indicators for Message Identification (BIMI) implementation plana security standard that requires strong authentication as well as brand logo verification (because as its name suggests, it’s only for brands and companies as email senders) so that when a user receives an email from them, both the logo and the main a symbol that confirms the verification of the sender.

However, we only learned a few days ago that this had already happened at least one case of an email marked by Gmail as legitimate and therefore with a blue check, yet it was apparently fake. The issue was discovered by cybersecurity engineer Chris Plummer, who received an email on his Gmail account and contacted Google to report the issue. As we told you at the time, the company’s initial response was to close the incident, saying it was within the expected behavior of the feature, but after pressure from Plummer, the case was re-examined and given top priority for its resolution in this case.

When we read terms like “top priority”, we understand that the response speed must be quite high, and in this case we can confirm that it was. And it is as we can read in Cyberscoop, Google will improve the reliability of Gmail’s blue check this week. In addition, according to the statement of the technology company to the above-mentioned medium, a significant part of the responsibility corresponds to third parties, namely the services in which the said messages originate.

In the initial implementation of BIMI in Gmail, Google opted for email authentication standards DMARC and SPF or DKIM, believing that both would provide the necessary reliability. However, it appears to be this list will be limited to DKIM only, as the only option for brands and companies that want to verify their identity in Gmail. This is what Google told Cyberscoop:

“This issue stems from a third-party security vulnerability that allows bad actors to appear more trustworthy than they are. […] To keep users safe, we require senders to use the stronger DomainKeys Identified Mail (DKIM) authentication standard to qualify for message identification status flags.“. And as for the timing of this change, Google said it will be completed by the end of this week.

Of course, this does not mean that we should blindly trust the blue check messages that we receive in our Gmail account. As always, we must use caution and common sense. No matter how much an email has a blue check and therefore appears to be from a trusted sender, if there is some reason, no matter how small, why what it says doesn’t sit well with us ( e.g. a problem with a package we didn’t expect) is suspicious and uses the official contact means of the supposed sender to confirm the authenticity of the message.