Season 2 of “Axios on HBO” airs Sundays at 6pm ET/PT. Keep up to date with Axios AM:

Stories

Exclusive: Email scammers take advantage of Gmail dot feature

Photo: Chesnot/Getty Images

An email scam outfit is taking advantage of Gmail's "dot" feature to streamline operations, according to email security firm Agari.

Gmail dots? Gmail allows users to add or subtract periods in their email addresses at will. If you own the right to someusername@gmail.com, you will receive emails sent to some.user.name@gmail.com and s.o.m.e.u.s.e.r.n.a.m.e@gmail.com.

  • That may seem like a minor feature, but the vast majority of email providers treat each of those as different accounts. That allows you to sign up for multiple accounts on most websites in each of those email addresses.

Here's where the crime comes in. BEC (business email compromise) scams run many operations in parallel. If they target a government agency offering grants or tax refunds, usually that means they have to use a different address for each instance of the scam.

  • "Using the dots feature is the difference between creating 20 accounts on a website or monitoring one inbox," said Crane Hassold, senior director of threat intelligence at Agari.

The criminal group discovered by Agari, according to the official writeup, used the Google dots approach to:

  • Apply for 48 credit cards at 4 "U.S.-based financial institutions," netting at least $65,000 in fraudulent credit.
  • Register for 14 trial accounts with sales leads sites, to use those leads in other scams.
  • Fake 13 tax returns with a tax filing service.
  • Submit 12 postal change of address requests.
  • Apply 11 times for fraudulent Social Security benefits.
  • Fake 9 identities for unemployment benefits in a "large US state."
  • Submit 3 applications for FEMA disaster assistance.

All of these attacks took place in 2018 or 2019.

"We're not calling Google out with this report," said Hassold.

  • Rather, he said, he thinks searching for multiple accounts under differently dotted Gmail accounts can be a useful security tool.
  • Agari has recommended the technique to several of its clients, who they say report it has been useful in finding fraudulent accounts.