Using Gmail "Dot Addresses" to Commit Fraud

In Gmail addresses, the dots don’t matter. The account “” maps to the exact same address as “” and “” — and so on. (Note: I own none of those addresses, if they are actually valid.)

This fact can be used to commit fraud:

Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:

  • Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
  • Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
  • File 13 fraudulent tax returns with an online tax filing service
  • Submit 12 change of address requests with the US Postal Service
  • Submit 11 fraudulent Social Security benefit applications
  • Apply for unemployment benefits under nine identities in a large US state
  • Submit applications for FEMA disaster assistance under three identities

In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.

This isn’t a new trick. It has been previously documented as a way to trick Netflix users.

News article.

Slashdot thread.

Posted on February 6, 2019 at 10:24 AM40 Comments


Don February 6, 2019 10:56 AM

You can also use a plus sign in the address after the username, before the @ to add a customizable code. and and all go to the address and then filter into a folder based on what is after the plus sign. Infinite customizable email addresses, not even limited to how many dots you can put between letters (although you can count in binary with the dots and have hundreds of combinations, the plus code is a lot easier on the human mind).

Frank February 6, 2019 11:03 AM

If I use a gmail account like ‘’ and include a dot and use it to create an account for say Amazon and only use’’ for does
this not help avoid fraud when the Amazon gmail account password is different?

What’s the difference when email services also allow aliases,compared to gmail DOTs? (periods)

Add or remove an email alias in
“If you want to use a new email address with your existing account, follow the instructions in this article to create an email alias. This will give you an additional email address that uses the same inbox, contact list, and account settings as your primary email address. You can choose which email address to send mail from, and you can sign in to your account with any of your aliases—they all use the same password.”

Fake Bruce February 6, 2019 11:26 AM

(Note: I own none of those addresses, if they are actually valid.)

But now we know to register that address so we can all pretend to be Bruce!

Nick Nolan February 6, 2019 12:07 PM

There is difference between local-part normalization and subaddressing (using plus sign).

Anything goes local-part normalization is mistake in email standards at least in retrospect. The receiver can’t make any assumptions about two local parts being the same email adress unless they match exactly. Host specified part can be case sensitive or not, ignore dots or not. Ignore characters after some specified lengths. Ignore numbers or some letters.

Subaddressing is defined well enough. Everything before + sign identifies the address, after the + sing is subadress.

Andy Lee Robinson February 6, 2019 12:10 PM

There’s a special place in hell for whoever dreamed this up.
So now every mail client and web form on the planet should be modified to execute a s/.//g on the user part of the address to ensure uniqueness for any gmail address before any further validation is performed.
Simply rejecting emails with more than 2 dots would help, but there’s still a lot of combinations available using 2 dots.
Still, this attack method can be mitigated and probably eradicated by flagging for human oversight.

Jordan February 6, 2019 12:47 PM


If they couldn’t do this, they would have to… create 48 distinct accounts.

Oh, wow. That would stop them.

Being able to funnel the mail into one mailbox is a convenience for the villains, sure, but it’s actually a security risk for them. It makes it easier for the businesses to find all of the affected accounts, once one is discovered.

David Ramos February 6, 2019 12:48 PM

Maybe the real problem here is using email addresses as identifiers. The ‘spec’ clearly allows Google to use dots as they do. It seems to me that assumptions were made (by everyone) about email addresses that are not true. As has been pointed out, other email services allow aliases. This particular exploit is interesting because of its ease and number of possible combinations. Aliases require an extra step.
I would hesitate to place blame solely on Google. This is an example of an exploit stemming from the complex interactions of systems that were not necessarily designed for the purpose they are being used for. Is there a way to fix this? Could it have been prevented?

Daniel Joubert February 6, 2019 1:16 PM

I don’t think it is a security issue or exploit on Google’s side. As stated: “…thereby increasing productivity.”
It just makes committing fraud easier.

dzek February 6, 2019 1:49 PM

Aaaand… where is the problem? Or Gmail’s fault?

Do you know that you could use free hosting with custom (free) domain and catch-all trick, making be available in single inbox.

You’re using free stuff so you’re not leaving any real data to get access to such mail (Gmail sometimes requires a valid phone number for example)

even more “shady” (if you like to be suspicious about anything)

yet it’s available for everyone for free

Peter February 6, 2019 2:34 PM

Item 1 in “fraudulent activity” list is

Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit

I find that hard to believe until verified.
It takes more than an email address to have a credit card application approved.

A February 6, 2019 5:51 PM

Or, you know, they could just create a new gmail account for each crime, and use gmail’s email forwarding feature to forward all the email to a single central email address…. They could even flag it with in the forwarding address.

What am I missing here?

(required) February 6, 2019 8:16 PM

(Note: I own none of those addresses, if they are actually valid.)

Shouldn’t you? Just to lock them off as possible annoyances? It would take an hour.


Finder February 6, 2019 9:37 PM

How is it possible that such a contrarian “convention” could be made default on a major email solution like Gmail? IGNORE the DOTS? Seriously. Who put their John Hancock on that decision? I want a name, that’s ridiculous.

RealFakeNews February 6, 2019 9:44 PM

The first time I read this I couldn’t see the problem.

I still can’t see the problem.

The e-mail address can be, in effect, malformed so the target system where it is used (e.g. for log-in), can be fooled into thinking they are distinct addresses, while GMail treats them all as the same.

Big deal.

The real issue is how scammers managed to gain $65000 of credit using this method.

I agree that if GMail treats my.address@gmail the same as m.y.address@gmail that all systems should be configured to strip periods and everything after the + from GMail addresses to prevent duplication.

Beyond that…it’s not really a problem.

Weather February 6, 2019 11:17 PM

Ha I get it, it adds one to a buffer and counter, but another counter nothing,
Maybe with a debugger there could be a Google. Com hack

Jane February 7, 2019 7:41 AM

How is this a problem with the email spec or any email provider??

As others have mentioned — it is no different from using throw-away addresses and forwarding them to a single address.

I am surprised that this feature appears to be “news” to so many posters here. This used to be the recommended practice to find out which retailers are spamming you the most! I still use a throw-away address and put the dots in different positions to create forward and spam rules.

Jordan February 7, 2019 11:03 AM

After a while in a company where mailing list names had words separated by dashes, underscores, or periods – sometimes mixed in one name – I’ve started to be fond of the idea of ignoring all punctuation.

From a human perspective, it seems very likely that fred.flintstone, fred_flintstone, and fredflintstone are all intended to refer to the same person… and that if you let them refer to different people, you’re probably not doing any of them a favor.

Cindy February 7, 2019 11:46 AM

While not fraud, this explains why I repeatedly get emails, sometimes important ones involving employment applications and bank accounts, for others with similar names. They must be creating gmail addresses with periods that then resolve to an address without them, mine. Am I understanding this correctly?

I always liked the fact that I had an easy email address, but I’m thinking I should change it to something a bit more complicated. Gmail really should do something about this.

Mrs. Hygeia, Grade 1 teacher February 7, 2019 12:39 PM

Report Card

General comments

Little Google needs to work harder on playing nicely with others. Failure to abide by friendly rules such as “accept widely, emit narrowly” needlessly disturb the class.

Jeremy February 7, 2019 2:48 PM

Like several other commenters, I don’t see how this is a security story. If I’m understanding correctly, no part of the fraud would have become impossible if Gmail worked differently.

This seems like writing about how bank robbers wear comfortable shoes or burglars use contact lenses. They are using the tech in the way it was designed to be used; they just happen to ALSO be committing crimes at the same time.

If you are running a web site where a single person signing up for multiple accounts would pose a problem, then you shouldn’t be relying on email addresses to check whether two accounts belong to the same person.

John Doe February 7, 2019 3:46 PM

Sounds like edge case problems to me. I use symbols extensively to make unique addresses for the same mailbox and I consider it a feature. Banning dots on the Gmail service would just force the scammers to switch services or buy a domain and use catch-all emails. By the way, email addresses with a custom domain have a lower fraud rating so this would benefit attackers. In the case of an attacker signing up multiple Netflix accounts on the same mailbox, that’s on Netflix for failing to use email confirmations.

Isterband February 7, 2019 3:58 PM

I don’t get it. How does this work?

Here from the blog post:
“In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account.”

What are those “on each website”? and and

“Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account.”
What does that mean? What is it to be “received” by the same Gmail account?

“Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.”
How does a small set of email (gmail?) accounts increase productivity? How does a gigantic set of email accounts decrease productivity?

I don’t understand this at all. Who does what with which accounts and why? And what does the different way of typing an gmail account has to do with it? And the short period of time? I think the explanation severe lack clarity. Who is the target and where lies the fraud? Can a gmail user become a victim or are those “each websites” the victims?

Rombobjörn February 7, 2019 4:43 PM

Everyone who believed that two different email addresses can never belong to the same person, please raise a hand.

Adi February 7, 2019 6:16 PM

with a dedicated domain hosted with Google you don’t even need dots or plus-aliased addresses. Gmail has an improved version of this for GSuite domain users: wildcard mailboxes.

You can designate one of the domain accounts to act as a catch-all and you can then have single-purpose-use-only addresses, just like the plus-aliased ones but without giving any clue that the address is a dynamic alias.

this is all pretty much according to the SMTP standard, RFC 5321, section 2.3.11 which says:

As used in this specification, an “address” is a character string
that identifies a user to whom mail will be sent or a location into
which mail will be deposited. The term “mailbox” refers to that
depository. The two terms are typically used interchangeably unless
the distinction between the location in which mail is placed (the
mailbox) and a reference to it (the address) is important. An
address normally consists of user and domain specifications. The
standard mailbox naming convention is defined to be
“local-part@domain”; contemporary usage permits a much broader set of
applications than simple “user names”. Consequently, and due to a
long history of problems when intermediate hosts have attempted to
optimize transport by modifying them, the local-part MUST be
interpreted and assigned semantics only by the host specified in the
domain part of the address.

Marc T February 7, 2019 7:03 PM

@Cindy: No, those people (whose misdirected email you’re receiving) made some other mistake, or – more likely – they dictated their email address to somebody over the phone, and they screwed up. This happens to me frequently – there appear to be about 20 people in the US with my first and last names, and at least two of them keep signing up for stuff with my address instead of their own.

Assuming that your name is Cindy Jones, and that your address is
– If I send mail to, or, or any other variation of your address that just adds or subtracts dots, it will be delivered to your address.
– If you, or I, or anybody else, tries to sign up for a new GMail account as “cindyjones”, “c.i.n.d.y.jones”, etc. – they will be told that that account is already taken.

However, if some other Cindy Jones (let’s call her Cindy Lou Jones) has the address BUT she forgets to type the “l” when she’s filling out the leasing form, her mail will be delivered to you. Machines can’t read minds, after all (yet.)

WaitAMinute February 7, 2019 8:39 PM

In most of the cases mentioned, the gmail “quirk” just makes fraud easier for the perps. The REAL problem – and responsibility – lies with those getting defrauded (eg. bank issuing fraudulent credit, USPS address changes, SSA benefits, etc.) is that these organizations clearly don’t have appropriate identity vetting policies and procedures in place.

Regarding the Netflix fraud in the linked article, the REAL problem there is that in order for it to work, someone has to click on a link in an email message sent to them. DON’T EVER CLINK ON LINKS IN EMAIL MESSAGES! Esp. for email messages beckoning impending doom.

Remember, there is no such thing as “Identity Theft” – its just fraud.

Jonah February 8, 2019 9:28 AM

Bruce, Just wanted to leave a general comment. I’ve watched numerous interviews and talks you’ve given. I love your philosophies on trust and security. I don’t know if you’ll read this or see this. But I really believe you could try to reach out to Joe Rogan and do a podcast with him. Seriously, it would be dynamite. He just had Jack Dorsey on recently talking about twitter, bitcoin, game theory etc. and perhaps you could add some counterpoint to that discussion. I’m taking it on as a personal campaign to try to make this happen. Maybe you don’t want to and if that’s the case than please let me know. I just think your thoughts are extremely valuable and Joe’s podcast is the perfect platform for more people to here a free discussion about these things.


Jonah(just a random guy who had an idea that Bruce Schneier could do a podcast with Joe Rogan, I’m not affiliated with Joe, or anybody or any company related to his podcast.)

vas pup February 8, 2019 11:39 AM

Do you think that Google/gmail phone service which let spoof caller id is also facilitate fraud and other actions of bad actors?
Looks like with all billions of capitalization Company have huge gap in efforts to get close to declared motto ‘Don’t be evil” regarding privacy. FTC is in a state of hibernation on that issue – just observation.

Not a problem February 8, 2019 1:21 PM

To be clear: yes, the dots (or plusses, as some have pointed out) do make it easier to commit fraud…. however, they are not the cause of fraud, and removing that ability would not stem the tide of fraud in the slightest…

Has anyone heard of regular good old fashioned email aliases? Or even multiple accounts, where one is forwarded to another, or they are somehow linked in some way? Or even, the ability to change your email address? Or Just having multiple plain old regular email accounts? This is common! Always has been, since email was first invented!

The issue is when programmers and institutions create systems that use an email address as a unique identifier for a person, when it’s really important that the individuals be unique! Don’t trust such easily changeable things to be truly guaranteed unique per person! Just don’t do it. I mean, it’s so obvious and plain as the nose on your face!

biff February 14, 2019 9:14 AM

I’m old enough to remember when this feature was first implemented, and security experts lauded it as a tool for fighting spammers and other unsavory characters, e.g. sign up for services using one variant of the address and then apply filters to redirect incoming mail to junk or other folders based on the variant.

As an aside, the “gmail dot trick” does not work with G Suite email addresses. It only works with plain, consumer addresses.

Maki February 18, 2019 2:28 AM

I think this behaviour as the right choice by google.
The risk of fraud in the alternative scenario is far greater. Better to allow people to differentiate addresses for these shared email services using additional letters or numbers that the use of periods.
This is the behaviour I would prefer as the account holder, as I would receive all mail to these addresses that can easily be mistaken for mine, and I can act on the information if I choose to.

Abby Rosmarin October 10, 2019 1:52 PM

Got scammed and can’t get your money back? bitcoinrecovery AT consultant∙ Com was helpful in getting me a refund, If you’re facing some challenges with requesting a refund, someone stole from your card or you traded and lost your funds without any reason or maybe you noticed they manipulated your funds and can’t withdraw or recover them you can call +One516341187one cell phone number to B I T C O I N R E C O V E R Y at Consultant . C O M is a licensed wealth management and recovery solution company they helped recovery my funds.

ROBERT KAVANAGH January 5, 2020 8:53 AM

If you’re going to spy on your partners phone to see who they’ve been with, i’ll recommend you contact QUADHACKED@GMAIL.COM . while i was overseas due to work , my wife was busy ,laying down with a colleague at work , i was able to gather proofs without her knowing all thanks to this amazing hacker .
tell him Mr Kavanagh  referred you.

Jack Robinson January 9, 2020 10:42 AM

Working with TROJAN (T R O J A N @ W R I T E M E . C O M, +1 912 388 3132) with the purpose of improving your credit history can bring you peace during the process and satisfaction at the end of the project. I want to publicly appreciate TROJAN for helping me increase my credit score. I was completely perplexed when my credit crashed down to 420 and I was unable to get approved for a house and car loan. I was going almost crazy until I found him online. He deleted all bad items including an eviction and eventually raised my score to 793. I have my life back now and it feels good to start the year with a beautiful credit, thank you TROJAN.

Jacob Drill February 12, 2020 8:26 AM

Get your credit cleaned with the help of a reliable hacker. He’s tested and trusted. I had a very low credit score (around 520) and it was ruining my life. I needed help. I was very depressed because of it and had been trying to repair it but It just seems nothing was capable of getting my score raised quickly. I needed something done fast. I had read a lot of good things about this hacker online which gave me a go ahead to try him out. I almost gave up my search for a real hacker because I kept meeting fake hackers who are always after the money, I’ve been conned by them. Hackinvade  is not about the money but about attaining a good reputation at always satisfying his customers. This is my way of showing appreciation for a job well done on my credit report. Reach out to him for help at hackinvade |AT| gmail |DOT| com or his phone # 256-294-4701.  

EOGHAN MOORE February 21, 2020 12:16 PM

I got the 609 credit repair program from QUADHACKED@GMAIL.COM about 15
months ago. He got rid of 4 out 5 charge offs after 3 rounds of letters. My
credit score went from 578 to 725 and will go up more from now on. Thanks
brother for not only helping me fix my credit and peace of mind but,
educating me on how credit scores work and how to keep it top notch. You
are the man. Best $200 I ever spent. If you need to delete blemishes from
your credit report or increase your credit score , Write the email address
i’ll be leaving below, telling him of your credit service needs, you’ll be
glad you did so,especially if you’ve had eviction blemishes and collections
wiped off your report. QUADHACKED@GMAIL.COM

Peter Barkley September 16, 2020 8:49 PM

I have always been wondering if a hacker could improve a bad credit score until i checked online on how to improve my credit score ,I stumbled on a lady’s comment on how capable he is in solving credit issues. I mailed the Hack Invade and he really knows his way around the credit system , I  was skeptical but to my suprise he did helped me out, he his fast, contact him hackinvade |AT| gmail |DOT| com or his phone # 256-294-4701 and thank me later  

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.