How Dotted Gmail’s Are Wreaking Online Fraud Havoc

Fraudsters are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, bypass trial periods for online services and commit online fraud according to a new article filed by ZDNet.

The scam used by fraudsters exploits the fact that Gmail addresses ignore dots inside the email address itself.

For example, if someone adds dots to your address, the email will still be sent to your undotted address. For example, if your email is [email protected], all these dotted versions will revert back to that email:

Fraudsters and Scammers Create Online Accounts Using Dotted Email Addresses

Online users and friendly fraudsters have been exploiting this feature for years to register for new accounts using the same Gmail email address over and over again by placing dots in different parts of their email addresses.  They can subscribe for free trials without detection.

More recently, James Fisher, a Netflix customer shared how he was scammed by a fraudster that exploited this feature to steal his personal information.

The scammer set up a phony Netflix account, with a dotted Gmail address for his email.  His real email is [email protected] but the scammer used [email protected]

And here is the rub – when the card got declined, Netflix sent an email asking for new card details to [email protected] which was routed to the real James Fisher because of the dotted Gmail feature.

James Fisher went to Netflix and almost inadvertently gave access to his real card details to the fraudsters by typing them in.

Not an Isolated Event — Fraudsters Are Targeting Card Issuers and Others

This is not an isolated event.  Security firm Agari noticed that dotted Gmail’s were being used by BEC (Business E-mail Compromise) actors to commit a variety of crimes.  In a recent report they published, the team there say they saw criminal groups use dotted Gmail addresses regularly.

In an example included in the report, Agari saw one group in particular use 56 “dotted” variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.

And that was not all they found. They also found the following scams and fraud events in their analysis.

  • Registering for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
  • Filing 13 fraudulent tax returns with an online tax filing service
  • Submitting 12 change of address requests with the US Postal Service
  • Submitting 11 fraudulent Social Security benefit applications
  • Applying for unemployment benefits under nine identities in a large US state
  • Submitting applications for FEMA disaster assistance under three identities

Here are examples from Agari that show how scammers use the same variant of the email with randomly placed dots to avoid detection.

This is a scam to keep your eyes on!  Thanks for reading.

Frank McKenna is the Chief Fraud Strategist for PointPredictive and a Fraud Consultant based in San Diego California