Scammers are using the fact that Google’s Gmail ignores extra dots in an email address to pull off large scale email scams.
Google’s so-called “Dots don’t matter” policy is designed to be helpful for consumers and even protect them from scammers creating a dotted version of their account. Google rejects any request to establish an existing email address with extra dots. For example, if a user already has the address firstname.lastname@example.org no one else can sign-up for email@example.com. Likewise, Google ignores extra dots when someone else adds them in an email to the account.
But researchers at security firm Agari report that a business email compromise (BEC) fraud group is using Google's policy to scale up fraudulent activities. Other places including banks, government agencies, and online services, like Netflix, do recognize dot-based variants of the same Gmail address as unique identities. The scammers frequently quickly create multiple accounts at a service using dots placed at various points in what Google considers the same Gmail address.
Scammers have used this to open multiple fraudulent credit card accounts. In one instance, a scammer used dot Gmail accounts to open 22 separate credit applications that resulted in $65,000 in credit card fraud.
The scaling up part of the dot scam is due to Gmail sending all responses regarding multiple credit card applications by supposed different identities to the same email address. This allows for more efficient monitoring by the scammer.
A similar fraud problem with Google’s policy on ignoring dots in Gmail addresses was raised last year by developer Jim Fischer who received a legitimate Netflix email notification to his Gmail account advising him to update his payment details.
The scammer had used a dot variant of his real Gmail address and likely hoped he would click the link and update the Netflix account with his credit card details. Fischer recognized the number didn't align with any of his previous cards, however if the victim does do update payment details, the scammer then changes the email address tied to that Netflix account and blocks the payer’s access, while the scammer enjoy free access.
The BEC scammers have been using the technique in multiple scams since early 2018, according to Agari. These include using dot Gmail accounts to:
- Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
- Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
- File 13 fraudulent tax returns with an online tax filing service
- Submit 12 change of address requests with the US Postal Service
- Submit 11 fraudulent Social Security benefit applications
- Apply for unemployment benefits under nine identities in a large US state
- Submit applications for FEMA disaster assistance under three identities
“In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account," explained Ronnie Tokazowski from Agari.
"Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.”