Understanding who you can trust online is just a wildly complicated conversation, and for all the good advice we can offer, scammers are always coming up with new tools and techniques to trick people into putting their faith in them. That’s why companies have long endeavored to develop easily understood, at-a-glance tests you can use to verify online identity — like the little blue checkmarks you’ll see next to verified senders in your Gmail inbox. Unfortunately, it seems that at least some bad actors have found a way to abuse Google’s system.


Gmail offers companies and organizations the ability to verify their identity with systems like BIMI (Brand Indicators for Message Identification), VMC (Verified Mark Certificate), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). When a company jumps through the needed hoops to prove it is who it says it is, Gmail will start displaying its company logo, as well as that blue checkmark next to its name.

But as cybersecurity engineer Chris Plummer noticed, recently some scammers appear to have found a way to maneuver around Google’s protections, and make their messages look like they’re originating from an official-enough source to pass the integrity checks.

Distressed by what he discovered, Plummer reached out to Google to inform the company of this obviously problematic situation — only to see his bug report closed with the note that this was somehow “intended behavior.” With that response not passing the smell test, Plummer took to Twitter to air his frustrations. Social media did not like what he had to tell them, and the response has been big enough to apparently prompt Google to rethink its initial dismissal.

The ball’s now in Google’s court, and we’re cautiously optimistic that the problem behind this exploit is one that will quickly be identified and resolved. It’s not a great look that Plummer had to practically drag Google kicking and screaming into treating this seriously, but we’re just happy that the company seems to have eventually come around.

Thanks: Armando

Leave a Reply

Your email address will not be published. Required fields are marked *