Loan Scammers Play With Email Dots

Did you know if you send an email to myname@gmail.com or my.name@gmail.com or myna.me@gmail.com, they would all go to the same place? Scammers do. In a recent bombshell report published by the SBA and OIG, $200 billion in PPP/EIDL fraud was accomplished through a number of common techniques, one of which appears to be through the manipulation of email addresses.

Some mail servers, including Gmail’s for example, ignore the dots, a feature likely built in because periods are commonly used as concatenation operators to join two strings in programming. Reader’s Digest recently called this “The Gmail Trick That’s Been Around for 15 Years—But Few People Know About It.”

“Any combination of your e-mail address and those little dots is sent to the exact same inbox. You own all dotted versions of your address,” RD wrote.

The implications of this, however, are that scammers can potentially bypass systems that rely on e-mail addresses as a primary form of verification or identity. Both scammer@gmail.com and scam.mer@gmail.com could have separate accounts in one system even though it’s the same email address. This method is useful to scammers because they do not have to register additional gmail accounts, which could potentially trigger additional unnecessary verifications or reviews from Google for suspicious activity. Instead, they can rely on the single account.

Furthermore, the SBA report said that aliases or email forwarding or disposable email addresses are also used in fraud and are a fraud indicator.

“Using an alias technique to add an extension to an existing email address through use of a dash (-) or plus (+) that resolve to the same email (e.g., username-123@gmail.com or username+bob@gmail.com both resolve to username@gmail.com)” was something that the SBA analyzed in its fraud investigation. “Using a disposable email service to remain anonymous by receiving emails at a temporary address that may self-destruct after a certain time elapses” is another technique that was examined.

Is your system checking for dots in gmail addresses? If they weren’t before, they should now!