about a month agoGoogle began to show a blue check in certain Gmail messages. Specifically, the initial approach is that this symbol that indicates that the sender’s identity has been verified serves to distinguish more quickly if a message is legitimate or if, on the contrary, we are facing an attack attempt based on identity theft (phishing), a technique that, according to several studies, is the origin of most attacks based on social engineering. And it is that, surprising as it may seem to some, phishing is still quite effective in certain contexts.
Gmail’s blue check fIt is part of the implementation plan of Brand Indicators for Message Identification (BIMI)a security standard that requires strong authentication, as well as verification of the brand’s logo (because, as its name indicates, it is directed exclusively to brands and companies as senders of emails), so that when a user receive an email from them, both the logo and, most importantly, the symbol that confirms the sender’s verification are displayed.
However, only a few days ago we learned that it had already occurred at least one case of an email identified by Gmail as legitimate, and therefore wearing the blue check, and yet it was ostensibly false. The problem was detected by cybersecurity engineer Chris Plummer, who received the email on his Gmail account, and who contacted Google to report this problem. As we already told you then, the company’s first response was to close the incident, stating that it fell within the expected behavior of this function, but after pressure from Plummer, the case was reviewed again, obtaining in this case the highest priority for its resolution.
When we read concepts like “highest priority”, we understand that the response speed must be quite fast, and in this case we can affirm that it has been. And it is that, as we can read in Cyberscoop, Google will improve the reliability of Gmail’s blue check this week. In addition, according to statements by the technology to the aforementioned medium, an important part of the responsibility corresponds to third parties, specifically to the services in which said messages originate.
In the initial implementation of BIMI in Gmail, Google opted for the email authentication standards DMARC and SPF or DKIM, trusting that both would provide the necessary reliability. However, it seems that this list will be reduced exclusively to DKIM, as the only option for brands and companies that want to verify their identity in Gmail. This is what Google stated to Cyberscoop:
“This issue stems from a third-party security vulnerability that allows bad actors to appear more trustworthy than they are. […] To keep users safe, we require senders to use the stronger DomainKeys Identified Mail (DKIM) authentication standard to qualify for flags for message identification status”. And as for the deadline for this change, Google stated that it will be completed by the end of this week.
This does not mean, of course, that we should have blind trust in the messages with a blue check that we receive in our Gmail account. As always, we must apply caution and common sense. No matter how much an email has a blue check and, therefore, seems to come from a trustworthy sender, if there is any reason, no matter how small, why what is indicated in it does not fit us (for example, that there is a problem with a package that we did not expect), is suspicious and uses the official means of contact of the supposed sender to confirm the authenticity of the message.
