Light Dark
May 13, 2019 By Joseph Ries 3 min read
Data Protection
Fraud Protection
Identity & Access

It happened one day out of the blue in mid-October. I received a notification that a trip was added to my personal Google calendar — destination: Cebu, Philippines. What? Did I just fall victim to a cyberattack?

I logged into my personal Gmail account and found an email with the travel itinerary. I started to panic, and thoughts of despair began to creep into my mind. How could I have booked a trip to the Philippines when I don’t even have a passport?

A Phishing Attack or a False Alarm?

I stared at my screen for a few moments trying to figure out what to do. I took a breath and thought back on all the discussions I had with my mentor about email security best practices and what to do in this scenario.

I started with the obvious things. I checked my credit cards and, to my relief, there was no charge for a trip. Then I checked the Have I Been Pwned database and didn’t find anything out of the ordinary. However, to be safe, I immediately changed my password.

I went back to the itinerary email and started reading through to make sure this wasn’t a phishing attempt. Rather than click on any of the hyperlinks in the email, I did a search to see if the travel site was legitimate. The site was legit, but I didn’t find anything to prove that it wasn’t a phishing email.

At the bottom of the email, I found two links in the fine print and started to investigate those for legitimacy. I read in the disclosure portion of the email that if I went to one of the links, I could make alterations to my itinerary and flight information. I started with that link to further my investigation. To my surprise, all I needed was a last name and a confirmation number, which was included in the email.

I was shocked at how easily I was able to get into the site with no login credentials. I had complete access to someone’s flight itinerary, among other data that probably should’ve been better protected. The deeper I dug into my issue, the more I empathized with the person taking the trip.

Why Periods Don’t Matter in Gmail Addresses

With enough information to assuage my fear that my identity was stolen, that concern gave way to curiosity. How did this happen? I started digging deeper into the email I received with the itinerary, and the tell-tale sign was there in the email header: On the “To:” line, I saw the following: “to: [email protected] (Yes, this is you).” Wait, what? I registered my username to be john.smith when I signed up, so how could this be me?

To rectify my curiosity, I clicked on the “Learn More” link that accompanied the aforementioned prompt. It took me to a Google support page that explained how Gmail does not recognize the periods before the @ symbol. How was I not aware of this Gmail feature?

I still wasn’t 100 percent convinced, so I did some of my own testing. I logged into my account using johnsmith instead of john.smith, and I was directed straight to my inbox. Next, I sent myself some test emails. I sent one to [email protected] and boom! It was in my inbox. I then logged into a competing free email service, sent an email to [email protected], and watched my inbox with great anticipation. After a few minutes, there it was. I guess the Google support page was accurate after all.

How Does This Gmail Feature Impact Email Security?

I can see the advantages of using this Gmail feature, since it enables users to manage multiple email addresses from one inbox. If I wanted to, I could use [email protected] to manage specific duties for, say, paperless credit card statements, and [email protected] for technical newsletters. This could help you gauge and track your spam emails, and it would give you an indication of who is potentially sharing your information.

You have the option to be incredibly specific by strategically placing periods before the @ symbol for an individual site. This could help you gauge the validity of potential phishing attacks as well. If you get an email addressed to [email protected] from the power company, but you knowingly used [email protected] for that account, you can quickly determine that it is phony. This is especially useful for sniffing out attempts to steal your credentials via phishing emails.

I can also see how this feature could help facilitate nefarious activities. In another experience, I received store rewards information for a different John Smith located thousands of miles away from me. From that scenario, I learned that companies often do not check their databases in relation to Gmail address. In this case, it would’ve allowed me to manage my awards account using [email protected], and since the other John Smith on the other side of the country sent me his rewards information, I could manage his account using [email protected], all from one inbox.

So as it turns out, I hadn’t suffered a cyberattack after all. I did learn a thing or two about email security, however. While there are certainly benefits to the Gmail feature that ignores periods in email addresses for common users, that same feature could lead to problems for users who don’t follow email security best practices.

 |  |  |  |  |  | 
Joseph Ries
Security Architect, IBM

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature