Marketing

BEC scammers use Gmail’s ‘Dots don’t matter’ policy to scale up fraud

Credit: ID 83163365 © Gstudioimagen | Dreamstime.com

Scammers are using the fact that Google’s Gmail ignores extra dots in an email address to pull off large scale email scams. 

Google’s so-called “Dots don’t matter” policy is designed to be helpful for consumers and even protect them from scammers creating a dotted version of their account. Google rejects any request to establish an existing email address with extra dots. For example, if a user already has the address [email protected] no one else can sign-up for [email protected] Likewise, Google ignores extra dots when someone else adds them in an email to the account.  

But researchers at security firm Agari report that a business email compromise (BEC) fraud group is using  Google’s policy to scale up fraudulent activities. Other places including banks, government agencies, and online services, like Netflix, do recognize dot-based variants of the same Gmail address as unique identities. The scammers frequently quickly create multiple accounts at a service using dots placed at various points in what Google considers the same Gmail address. 

Scammers have used this to open multiple fraudulent credit card accounts. In one instance, a scammer used dot Gmail accounts to open 22 separate credit applications that resulted in $65,000 in credit card fraud. 

The scaling up part of the dot scam is due to Gmail sending all responses regarding multiple credit card applications by supposed different identities to the same email address. This allows for more efficient monitoring by the scammer.