Using Gmail "Dot Addresses" to Commit Fraud

Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:

• Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
• Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
• File 13 fraudulent tax returns with an online tax filing service
• Submit 12 change of address requests with the US Postal Service
• Submit 11 fraudulent Social Security benefit applications
• Apply for unemployment benefits under nine identities in a large US state
• Submit applications for FEMA disaster assistance under three identities

In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.