Most people have never heard of this. Some IT professionals haven't either. But it's a real vulnerability, it's being actively exploited and if your business uses Gmail addresses or deals with clients and suppliers who do you need to know about it.
So What's the Trick?
Google treats full stops (dots) in Gmail addresses as completely invisible. johnsmith@gmail.com and j.o.h.n.s.m.i.t.h@gmail.com are the same address and land in the same inbox.
Google designed it this way to prevent you missing emails due to typos. Fine in theory. The problem? While all dot variants of a Gmail account go to the same inbox the vast majority of the internet treats each variant as a completely separate email address linked to a unique account and identity.
That gap between how Gmail sees it and how everyone else sees it is exactly where fraudsters operate.
How Scammers Are Using It
Cybercriminals use dotted variations of a Gmail address to set up multiple accounts under different names with a company despite all of those email addresses being linked to the same person.
In practice this means a fraudster with one Gmail account can sign up for your services dozens of times each time appearing to be a different person. All the confirmation emails invoices and account details land in one inbox making the whole operation easy to manage and scale.
The numbers are sobering. Security researchers documented one group that used this tactic to submit 48 fraudulent credit card applications at four financial institutions resulting in at least £65000 in approved fraudulent credit. The same group filed 13 fake tax returns submitted 11 fraudulent benefit applications and registered 14 trial accounts with a sales leads provider to harvest targeting data for further attacks.
That last point is particularly relevant for businesses. The FBI's IC3 has flagged this as a known tactic in business email compromise schemes.
What Does This Mean for Your Business?
A few scenarios worth thinking about.
A supplier or client tells you they've changed their payment details. The email comes from what looks like their Gmail address but with a dot moved. You don't notice. The money goes somewhere else.
A fraudster signs up for your free trial your newsletter or your client portal using dotted variations of the same address effectively getting multiple accounts and bypassing any one per customer limits you have in place.
Someone signs up for an account on a platform your business uses using a dotted version of your email address. They set the password. But because Gmail routes it to your inbox you receive the confirmation and if you click anything or take action on it you've unknowingly validated their account.
A compromised or spoofed email account is rarely the end of the story. It's the beginning. Once inside your email attackers can reset passwords to your banking HR and cloud platforms and send phishing emails to your contacts from a trusted address.
What Should You Do?
A few sensible steps.
If you receive emails for accounts you didn't create even addressed to a variation of your Gmail don't click anything. Report it as phishing.
Review your connected apps and recent sign-in activity at myaccount.google.com/security regularly. Revoke anything you don't recognise.
Enable two-factor authentication on your Gmail and every platform it's connected to. This won't stop someone using a dotted variation of your address elsewhere but it locks down your own account.
If you run a business that uses email addresses as unique identifiers for customer accounts trial signups or billing speak to your web developer about normalising Gmail addresses by stripping dots before storing them. It's a straightforward fix that most platforms have simply never bothered with.
The Bigger Picture
This is one example of a much wider problem: cyber threats that sit in plain sight hiding in features most people assume are harmless. The dot trick isn't a hack or a zero-day exploit. It's just a quirk in how Gmail works and criminals have been quietly exploiting it for years.
At Rushax, cyber security awareness is something we build into the advice we give clients across IT support web builds and digital setup. Whether it's hardening your email configuration locking down your business accounts or training your team to spot the warning signs it's all part of keeping your business safe online.
If you want a straightforward review of your current setup get in touch with the Rushax team. No jargon no hard sell just honest advice.
James Dearmer, Rushax
Managing Director, Rushax
