Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success in detecting a sophisticated fraud scheme. By utilizing Splunk Enterprise Security along with the Splunk App for Fraud Analytics, their team uncovered 17 fraudulent accounts all controlled by a single actor through an ingenious Gmail manipulation technique. This case illustrates how seemingly minor technical details can lead to significant vulnerabilities when exploited on a large scal
This article is the first in a three-part series exploring advanced fraud detection techniques using Splunk. In this first installment, we'll focus on new account fraud through email manipulation. The second and third parts will examine account takeover scenarios and cross-channel fraud detection.
New Account Fraud
The bank had been facing a concerning rise in new account fraud. Their fraud rates had surged by 23% compared to the previous year, significantly impacting their online banking division. Despite having standard verification procedures in place, fraudsters were continually evading their controls.
Six weeks before our meeting, the bank had implemented Splunk Enterprise Security along with the Splunk App for Fraud Analytics, specifically to address these emerging threats. The implementation focused on identifying subtle patterns across multiple data sources that traditional rule-based systems were missing. These legacy systems were failing because they operated in silos, examining each account in isolation rather than looking for connections across accounts. They relied on binary triggers—a rule either fired or it didn't—with no ability to assess cumulative risk across multiple small indicators. Additionally, traditional systems lack normalization capabilities that see through simple obfuscation techniques like email variations. When fraudsters deliberately stay below individual thresholds while spreading activity across multiple accounts, these conventional systems miss the forest for the trees. Perhaps most critically, rule-based approaches require analysts to anticipate every possible fraud technique in advance, making them perpetually reactive rather than adaptive to new patterns as they emerge.
Gmail Dots Exploit
The fraud technique at the center of this case exploits a little-known feature of Gmail: the service completely disregards dots in email addresses. For instance, john.smith@gmail.com and johnsmith@gmail.com both direct to the same inbox. While this feature was intended for user convenience, it creates a significant loophole for fraud.
By strategically placing dots throughout an email address, fraudsters can create what appear to be unique identifiers for multiple accounts while maintaining control through a single inbox. Most banking systems and fraud detection tools treat each email variation as a completely separate customer.
This technique allows fraudsters to create multiple accounts that seem entirely disconnected in conventional systems. Bank A has no way of knowing that johnsmith@gmail.com opening an account on Monday is the same person who opened an account at Bank B as john.smith@gmail.com on Tuesday. Even within the same institution, these would typically register as different customers.
Meanwhile, the fraudster enjoys the convenience of receiving all communications in one manageable inbox. Every verification email, security alert, and account notification arrives in the same place, making it simple to monitor and manage multiple fraudulent accounts simultaneously. This centralized communication hub streamlines their operation significantly.
The scalability of this technique makes it particularly dangerous. A single base email address can generate hundreds or even thousands of variations by placing dots in different positions. The name "john.smith" alone could become j.ohnsmith, jo.hnsmith, joh.nsmith and so on, with each variation creating a new "unique" identifier that appears legitimate to most systems.
Through this simple manipulation, fraudsters maintain complete centralized control of all accounts while presenting what looks like different customers to financial institutions. This allows them to establish distinct fraud identities without the hassle of managing multiple actual email accounts—a perfect balance of simplicity and effectiveness that makes this technique so popular among fraud rings.
This technique requires no sophisticated technical skills or specialized tools, making it accessible to a wide range of bad actors.
Dashboards Reveal a Fraud Pattern
The case began during a routine morning review of the “Business Risk and Remediation Summary” dashboard in Splunk. The system had identified 31 accounts with potential fraud indicators, with an immediate risk exposure of $65,750.
What stood out was a user with an unusually high risk score, primarily triggered by a rule labeled "NewAcct-dotted gmail - one or more dots." This rule specifically tracks the creation of new accounts using Gmail addresses with periods in patterns consistent with known fraud attempts. The risk score had reached 149—well above the typical threshold of 100 that would flag an account for review. While most alerts may trigger one or two low-scoring rules, this particular case accumulated points rapidly from a single strong indicator. The bank's fraud team implemented this specific rule after noticing an uptick in Gmail-based fraud patterns at industry conferences. Previous fraud cases had shown that legitimate customers rarely use heavily dotted Gmail addresses, and multiple account creations with similar but differently dotted emails were almost always fraudulent. The rule was designed to be sensitive to these patterns without generating excessive false positives, focusing on specific dot placements historically correlated with fraud rather than flagging all Gmail addresses containing dots.
Investigation Process
The fraud analyst's investigation followed a systematic approach that demonstrates the value of connected data. After identifying the high-risk account, they began with a thorough assessment of what had triggered the alert. The account had set off multiple fraud rules related to new account openings, with several specifically tied to email address patterns. With a risk score of 149—significantly above their standard review threshold—it clearly warranted immediate investigation.
Looking more closely at the primary email address, the analyst discovered something concerning. The address in question (jo.h.n.doe@gmail.com) was already associated with three separate accounts in their system. This immediate red flag suggested potential identity manipulation, as legitimate customers rarely need multiple accounts with nearly identical credentials.
The critical breakthrough came during the next step of the investigation. The analyst searched for the normalized version of the email address—johndoe@gmail.com—essentially removing all dots from the original. This simple normalization technique revealed something alarming: 17 different accounts had been created over a two-week period, all using variations of the same base email with dots strategically placed in different positions.
Digging deeper to confirm the pattern, the analyst examined the behavior across these accounts. The similarities were striking: most had small initial deposits to establish legitimacy, followed by address changes shortly after opening, and pending transfer requests that collectively totaled approximately $425,000. The coordinated nature of these activities across supposedly unrelated accounts presented a clear fraud pattern.
This case validated the effectiveness of their risk scoring approach. The system had accurately identified this as high-risk by combining multiple subtle indicators that individually might have remained below traditional fraud thresholds. No single action was egregious enough to trigger immediate blocks, but together they painted a compelling picture of coordinated fraudulent activity.
Splunk’s Fraud Detection Capabilities
The bank's implementation of Splunk included several key technical components that enabled this detection. At the foundation of their success was a sophisticated email normalization process. They created a custom field extraction that automatically strips dots from Gmail addresses and stores both the original and normalized versions for comparison. This seemingly simple transformation proved crucial, creating a consistent identifier that could link apparently disparate accounts.
Building on this foundation, they implemented a multi-factor risk scoring system that moves beyond binary yes/no decisions. Their system assigns weighted risk scores to various indicators based on historical correlation with fraud. The Gmail dot manipulation technique received a particularly significant multiplier after analysis of previous cases showed it rarely appeared in legitimate account activity. This nuanced scoring allowed subtle patterns to accumulate into actionable intelligence.
Perhaps most important was their approach to cross-channel data integration. Splunk connected data that had previously existed in separate silos—their account opening system, online banking platform, and transaction processing systems—to build comprehensive risk profiles. This integration allowed them to see the complete picture of customer activity rather than fragments divided across different departments.
The power of visual analytics proved transformative for their investigation process. Custom dashboards visualized the connections between accounts using normalized identifiers, making patterns visible that would have been nearly impossible to detect in traditional tabular data. Investigators could literally see clusters of related activity that would have remained hidden in spreadsheets or traditional reports.
Finally, automated alert correlation streamlined the entire workflow. The system automatically grouped related alerts based on normalized identifiers, bringing all 17 accounts into a single investigation rather than treating them as separate cases. This correlation drastically reduced the analyst's workload while ensuring they could see the complete scope of the fraudulent activity at once.
Immediate Response and Outcome
Once the pattern was identified, the bank's fraud team took swift action to contain the threat. Their first priority was freezing all 17 accounts pending further investigation, immediately stopping any pending transactions and preventing further account activity. This decisive action was crucial in containing the financial damage.
Going beyond immediate containment, they implemented preventative measures to block any additional account creation attempts using variations of the base email address. The team added the normalized email (without dots) to their high-risk watchlist, ensuring that any future attempts using this base address would be flagged for additional scrutiny regardless of dot placement.
The response extended to policy changes as well. The bank implemented additional verification steps specifically for accounts using complex Gmail patterns, adding extra authentication requirements when these patterns were detected during account creation. This systemic change helped address the vulnerability across their entire customer base.
Recognizing that fraud rings rarely target just one institution, the team shared the pattern with their banking consortium to alert other institutions. This collaborative approach helped strengthen the entire financial ecosystem against similar attacks, demonstrating industry leadership in fraud prevention.
The financial impact of their intervention was significant. The team prevented $425,000 in pending fraudulent transfers that were already in process across the various accounts. Based on analysis of similar past cases and the trajectory of the fraud, they estimated potential losses could have grown to over $2,000,000 if the pattern had remained undetected. Beyond the immediate financial savings, the case provided valuable intelligence that would help prevent similar schemes in the future.
Broader Implications and Strategic Insights
This Gmail manipulation case completely changed how the bank thinks about fraud detection. They realized that traditional yes/no rules just weren't cutting it anymore. Instead, they've moved to a pattern recognition approach where small risk indicators add up to reveal suspicious activity that would have flown under the radar before.
The success they had with normalizing email addresses inspired them to apply similar techniques to other customer data. They're now normalizing phone numbers, addresses, and even usernames to spot connected accounts that fraudsters try to keep separate. Their fraud team has also become more proactive, regularly searching for patterns rather than just waiting for alerts to pop up.
What struck me during our conversation was how much this single case affected their entire security mindset. "We were looking at individual accounts when we should have been looking at connections between them," the fraud analyst explained. The bank now prioritizes data integration across systems, ensuring nothing falls through the cracks between different departments.
They've also started sharing what they've learned with other banks in their consortium. By distributing anonymized pattern information, they're helping strengthen the entire industry's defenses against these techniques. This collaborative approach makes sense - the fraudsters are certainly sharing their methods with each other.
The visualization capabilities proved to be game-changers for their investigation process. What might have taken days to identify in spreadsheets became immediately obvious in their visual dashboards. Connections between accounts jumped right out, saving hours of painstaking
Most importantly, this case showed them that fraud detection isn't always about catching sophisticated hackers. Sometimes, it's about understanding basic technical quirks that create loopholes. By normalizing data and focusing on patterns rather than individual triggers, they've built a much stronger defense against fraud tactics that exploit these system differences.
The Gmail dot manipulation case provides a compelling example of how modern fraud detection requires both sophisticated analytics and deep understanding of technical exploits. By implementing Splunk Enterprise Security along with the Splunk App for Fraud Analytics, this bank was able to connect data that would have remained invisible in their previous systems.
As fraudsters continue to exploit nuanced technical details, financial institutions must evolve their detection capabilities to match. This case demonstrates how the right combination of technology, configuration, and expertise can transform seemingly disconnected data points into clear fraudulent activity patterns—ultimately protecting the institution and its customers.
In the next article of this series, we will examine how Splunk aided in detecting account takeover attempts via brute force attack patterns, highlighting another vital component of comprehensive fraud protection. Stay tuned for part two, which is coming soon.
