Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities: Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. (Note: I own none of those addresses, if they are actually valid.) The account maps to the exact same address as and so on. In Gmail addresses, the dots don’t matter.
Using Gmail 'Dot Addresses' to Commit Fraud
