Scams exploiting “dots don’t matter” in Gmail continue
Cybercriminals continue to apply phishing and BEC (Business Email Compromise) scams exploiting the fact that “dots don’t matter in Gmail addresses”, using Google’s own words. Crooks have taken advantage of what should be a security measure to prevent others from using an email address similar to yours.
Table of Contents
What is “dots don't matter” in Gmail?
The feature (or vulnerability?) of dots in Gmail is caused because a Google email address is unique and can’t have corresponding variations with dots.
“If anyone tries to create a Gmail account with a dotted version of your username, they’ll get an error saying the username is already taken. For example, if your address is [email protected], no one can sign up for [email protected]”, says a Google Help page.
How the “dots don't matter” scam works
The scam is used for different purposes, from creating new credit card applications to signing up for online services.
In general, frauds involving dots in Gmail are built to allow an easy scam management, concentrating different attacks and actions in just one account. It’s the rule of the least effort for the greatest gain.
In addition, criminals can take advantage of “dots don’t matter” in another way, by inducing legitimate Gmail users to provide confidential information, such as credit card data.
How? Example: fraudsters can create a new account on a website using a similar Gmail address and an invalid credit card. When the payment error occurs, the website will send an email to the legitimate user asking him to update the payment information. Once updated, the crook can access the victim’s information or use the service.
Cases like this have already been published on the internet. In the post “The dots of matter: how to scam Gmail user”, the developer Jim Fisher addressed the issue using Netflix as an example.
How to avoid the scam
Our recommendation in this case is to always be aware and carefully analyze the content of emails you receive. Pay attention to the email address that sent the message and to whom it’s directed, remembering that there are different techniques for falsifying headers and content.