Earlier this year, Gmail started rolling out blue checkmarks to identify trusted senders. Scammers quickly found a way to disguise spam emails as verified, which Google said it fixed, but the issue still seems to be present.
Update, 6/28/23: Google responded to our inquiry and indicated, after looking into the matter, the email was authentic and sent by a bad actor with access to the Stripe system. We will update this note if we hear from Stripe, and we maintain that the best approach to security is to trust but verify all communications you receive.
Back in May, Gmail started showing blue checkmarks next to verified senders so that it would be easier to tell if a message was legitimate or not. For example, if you received a shipping confirmation from UPS and you saw the blue checkmark, you’d know it was from the real UPS and not a scammer. Unfortunately, scammers quickly found a way around the system, and Gmail was showing the verified symbol on phishing emails.
Google told 9to5Google that the issue relied on a third-party security vulnerability, and by the end of the first week of June, the company would require DomainKeys Identified Mail (DKIM) authentication from senders to show the checkmark. That should have prevented fake emails from showing verified symbols, but it might still be a problem.
One person working at How-To Geek received an email that appeared to be from Stripe, with the Stripe logo, Stripe web domain, and checkmark from Gmail visible in the sender information.
However, the message for a purchase of Ethereum that did not happen, and it also contains references to PayPal. Stripe and PayPal are not connected in any way, except that they are both payment processors. The support number for PayPal in the message (which we’ve blurred out) is also not the official number listed on PayPal’s support site. It’s a pretty convincing email on its own, and Gmail’s verified symbol adds more credibility.
It’s not clear if this is a vulnerability of Stripe’s messaging system (like the invoice scams that were common with PayPal last year), or if the message was sent by a scammer and went unnoticed by Gmail’s verification filter. We’ve reached out to Google and Stripe for comment, and we will update this article when or if we receive a response. In the meantime, be sure to double check possible scam emails, even if Gmail has marked them as trustworthy.
