There’s a new Gmail verification scam; here’s how to avoid getting caught up in it

Scammers found exploiting a Gmail bug to phish users

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

There’s a newGmailscam making the rounds online as bad actors are taking advantage of the service’s recently launched verification system.

Back at the beginning of May,Google introduced blue checkmark verificationin order to combat internet scams likephishing attacks. Companies and organizations canapply to the program to verify their identity, and upon approval, Gmail will display the aforementioned blue checkmark next to the brand logo. What was supposed to be a way to protect people is instead, in some instances, being used to go after them. Cybersecurity engineerChris Plummer posted on Twitteran image of a spoofed email claiming to officially be from UPS. The scammer apparently somehow got pastGoogle’s own safeguards.

Bug exploit

Identifying the fake email was easy enough to do. Plummer shows the header sporting an email address consisting of mostly random letters and numbers ending in a UPS URL. However, hovering over the checkmark displays a window stating the message is coming from a legitimate source.

It’s unknown how the bad actor got around the security checks. Plummer claims there’s a bug in Gmail that scammers are exploiting to trick the platform’s “authoritative stamp of approval”. From there, the bad actors hop through multiple domains before zeroing in on their target.

Initially, when he reported the problem to Google, the company reportedly hand-waved it away saying the system was working as intended. But in the days since Plummer’s discovery, the tech giant made an about-face and announced it iscurrently working on a fix.

How to not get scammed

Since we don’t know when the patch will roll out, it makes sense to protect yourself until then. TechRadar has a couple of guides onhow to avoid online phishing scamsandhow to protect your inbox. We strongly recommend reading both to get a full understanding, but here are some pieces of advice to get you started.

First, double-check the header. If you see a bunch of random letters, numbers, and symbols in the email address, that’s your first clue that something is fishy.

Get the best Black Friday deals direct to your inbox, plus news, reviews, and more.

Sign up to be the first to know about unmissable Black Friday deals on top tech, plus get all your favorite TechRadar content.

Secondly, double-check the spelling in the header. Some scammers will replace certain characters with a lookalike to trick people. For example, the letter “O” will be replaced with the number “0” or the capital “I” with a lowercase “l” (that’s an “L”). Gmail’s default font can make this tough to discern.

Be wary of any emails urging you to share your financial information, whether updating your account details or a refund offer you didn’t ask for.

Of course, don’t click on any links or attachments you don’t recognize.

Also, be sure to check out TechRadar’slist of the best identity theft protection appsfor June 2023 to better safeguard your personal details.

Cesar Cadenas has been writing about the tech industry for several years now specializing in consumer electronics, entertainment devices, Windows, and the gaming industry. But he’s also passionate about smartphones, GPUs, and cybersecurity.

No joke, Gmail is 20 and we’re probably better for it

Google’s next AI update for Gmail could let you ask it to write emails with your voice

7 myths about email security everyone should stop believing