Gmail Dot Address Vulnerability Still Exploited by Hackers

By Ava McKinneyOnline Safety

Hackers Continue to Exploit Gmail Dot Address Issue

Security experts at Agari warn that scammers are still abusing a legitimate Gmail feature that treats email addresses with dots as identical. Using this loophole, criminals are able to claim unemployment benefits, commit tax fraud, and bypass free trial periods on online services.

How the Gmail Dot Address Issue Works

The problem lies in the fact that Gmail ignores dots in email addresses. For example, Gmail treats [email protected], [email protected], and [email protected] as the same mailbox. Scammers have long realized that this feature can be misused in ways Google never intended.

One recent example involved a malicious campaign targeting Netflix users. Scammers tricked victims into linking their bank cards to accounts registered with their own email addresses, but with dots inserted in various places.

Why This Is a Problem

Most websites—including government portals, Netflix, Amazon, eBay, and others—treat email addresses with dots as different accounts. In their systems, [email protected] and [email protected] are not the same. This discrepancy creates opportunities for fraud.

According to Agari, scammers exploited the dot address issue even more actively last year than before. Experts are tracking several hacker groups using this method. For example, just one group used 56 variations of the same Gmail address for the following activities:

  • Submitting 48 credit card applications at four U.S. banks (illegally obtaining about $65,000 in credit)
  • Registering 14 trial accounts on commercial sales platforms (to collect data for future BEC attacks)
  • Filing 13 fake tax returns through online services
  • Filing 12 change-of-address requests with the U.S. Postal Service
  • Submitting 11 fraudulent applications for social benefits
  • Applying for unemployment benefits in various states under nine different “identities”
  • Applying for disaster relief under three different “identities”

Why Hackers Use This Method

Researchers note that this approach allows criminals to link various illegal activities to a single Gmail address, “increasing the efficiency of their operations.”

Other Gmail Features That Can Be Abused

The dot issue isn’t the only Gmail feature that could pose risks for users. Gmail also ignores anything after a plus sign (“+”) in the address. For example, [email protected] is treated the same as [email protected]. Additionally, the legacy domain @googlemail.com still works, so emails sent to [email protected] will arrive at [email protected].

Fortunately, scammers haven’t widely exploited these other Gmail features yet. However, cybersecurity experts warn that these characteristics could further expand criminals’ toolkits and cause as many problems as the dot address issue.

Leave a Reply