BEC Actors Exploiting Gmail “Dot Accounts” for Fun and Profit

Taking Advantage of Dot Accounts

By utilizing this feature — which we will call Gmail “dot accounts” — these threat actors are able to scale their operations by opening multiple fraudulent credit card accounts, which they then use to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online information providers. In one case, a scammer was able to submit twenty-two separate applications, each under a different identity, and successfully open over $65,000 in fraudulent credit cards at a single financial institution.

Scaling Scam

Warnings about the dangers associated with this feature have previously been published by other researchers. While all dot variants of a Gmail account direct all email to the same inbox, a vast majority of the rest of the Internet treats each variant as a distinctly separate email address, associated with a unique separate account and identity. For example, if I sign up for a Netflix account using the email address badguy007[at] and then again with b.adg.uy007[at], Netflix — like most other online services — would think that these are two different accounts linked to two different people. This is where, and how, cybercriminals are able to take advantage.

  • Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
  • Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
  • File 13 fraudulent tax returns with an online tax filing service
  • Submit 12 change of address requests with the US Postal Service
  • Submit 11 fraudulent Social Security benefit applications
  • Apply for unemployment benefits under nine identities in a large US state
  • Submit applications for FEMA disaster assistance under three identities
Google Dot Accounts Used to Create Trial Accounts on a Commercial Sales Leads Service
Google Dot Accounts Used to File Fraudulent Tax Returns



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.