Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud

Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.

In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.

Re:since when 1 person = 1 email address?

[Oswald+McWeany]

Why the heck are these companies assuming that just because the email is different it is a different person?
Anyone could just own a domain and setup an unlimited number of aliases to a single address without exploiting any stupid weirdness google created.

Yeah, I use about a dozen different e-mail addresses. I'm clearly not 12 people. I'm not even 12 personalities in one person.

Oh yes we are. No we're not... yes we are.

Root cause of fraud

[140Mandak262Jamuna]

US lending institutions consider the ability to lend to people at an instant to fund impulse purchases a big money maker.

They know they may not be able to complete a thorough verification before the impulse to borrow passes. So they rush to lend. They know they make mistakes and lend to fraudsters. But to them it is cost of doing business, net profit from impulse lending is so great they do this knowingly.

Then, the fraudulently lent loans get written off, sold for pennies for a dollar to the debt collectors. These people come after you, get default judgements, demanding that you prove you did not borrow the money. Even if you do to one debt collector, he sells the loan to the next debt collector and it goes on.

Small things might help here:

Make a law, "Lenders can not sell defaulted loans without fully proving the identity of the borrower.".

Get a couple of precedent judgement, "if the bank sold a loan based on stolen identity, they are liable for slander and all damage caused to the person whose identity was compromised".

Once you make the banks eat all the losses, and prevent damage to people whose identity is compromised, they will do the basic necessary things to verify identity.