How Cybercriminals Are Abusing The Gmail's Secret Dot Feature

Gmail’s not-so-famous “dot” feature redirects emails to the same account where they are intended even if by mistake a dot (period) is inserted in a recipient’s email ID. This has given cybercriminals a chance to manipulate the feature for illegal gains. They have been using this to commit crimes like filing fake tax returns, using government agencies for financial gains or to extend the trial periods of online services. According to reports, these crimes have been taking place since early 2018.

The Gmail dot feature fraud was first reported by Axios and discovered by Agari, a security firm. The purpose of introducing this feature is that email is sent to the right recipient even if by mistake a dot or period is entered into an email address. For example, if an email is to be sent to xyz@gmail.com but ID is typed as x.yz@gmail.com, Gmail will still send to the right address where it is intended. The situation could be another way around as well, that there is a dot but it is not inserted somehow.

Gmail is some of those service provider that can make email addresses indistinguishable, by making email’s each dot variant as a separate one. Many people have used this feature to create different emails to create an account on the same platform again and again, like Netflix for a one-month free trial.
Related: Is Your Email Address Affected By A Massive Data Leak?
According to the reports of a security firm, around $65000 has been looted from four different banks of US by exploiting the dot feature. In addition to this, 14 trial accounts have been registered, 13 fraud tax file returns were submitted to online tax filing service and 12 times postal address change requests were made. This has been used in other ways as well to avail financial allowances, like unemployment or disaster assistance, using different identities.

56 variants of the same email address of an individual were found by cybersecurity experts. All the emails which were intended for someone else were sent to the same account, making it easier for cybercriminals to misuse the feature.

Crane Hassold, a senior Director of Threat research at Agari said dot feature is one of many other Gmail options that is exploited by scammers, including the plus sign which redirects username+randomword@gmail.com emails to username@gmail.com. But so far other features are not as much exploited as the dot feature is by the cybercriminals.

Bad Actors Exploiting Gmail “Dot Accounts” for Fun and Profit
Photo: stockcam via Getty Images

Also Read: How To Be A Gmail Power User [INFOGRAPHIC]
Previous Post Next Post