It happened one day out of the blue in mid-October. I received a notification that a trip was added to my personal Google calendar — destination: Cebu, Philippines. What? Did I just fall victim to a cyberattack?

I logged into my personal Gmail account and found an email with the travel itinerary. I started to panic, and thoughts of despair began to creep into my mind. How could I have booked a trip to the Philippines when I don’t even have a passport?

A Phishing Attack or a False Alarm?

I stared at my screen for a few moments trying to figure out what to do. I took a breath and thought back on all the discussions I had with my mentor about email security best practices and what to do in this scenario.

I started with the obvious things. I checked my credit cards and, to my relief, there was no charge for a trip. Then I checked the Have I Been Pwned database and didn’t find anything out of the ordinary. However, to be safe, I immediately changed my password.

I went back to the itinerary email and started reading through to make sure this wasn’t a phishing attempt. Rather than click on any of the hyperlinks in the email, I did a search to see if the travel site was legitimate. The site was legit, but I didn’t find anything to prove that it wasn’t a phishing email.

At the bottom of the email, I found two links in the fine print and started to investigate those for legitimacy. I read in the disclosure portion of the email that if I went to one of the links, I could make alterations to my itinerary and flight information. I started with that link to further my investigation. To my surprise, all I needed was a last name and a confirmation number, which was included in the email.

I was shocked at how easily I was able to get into the site with no login credentials. I had complete access to someone’s flight itinerary, among other data that probably should’ve been better protected. The deeper I dug into my issue, the more I empathized with the person taking the trip.

Why Periods Don’t Matter in Gmail Addresses

With enough information to assuage my fear that my identity was stolen, that concern gave way to curiosity. How did this happen? I started digging deeper into the email I received with the itinerary, and the tell-tale sign was there in the email header: On the “To:” line, I saw the following: “to: [email protected] (Yes, this is you).” Wait, what? I registered my username to be john.smith when I signed up, so how could this be me?

To rectify my curiosity, I clicked on the “Learn More” link that accompanied the aforementioned prompt. It took me to a Google support page that explained how Gmail does not recognize the periods before the @ symbol. How was I not aware of this Gmail feature?

I still wasn’t 100 percent convinced, so I did some of my own testing. I logged into my account using johnsmith instead of john.smith, and I was directed straight to my inbox. Next, I sent myself some test emails. I sent one to [email protected] and boom! It was in my inbox. I then logged into a competing free email service, sent an email to [email protected], and watched my inbox with great anticipation. After a few minutes, there it was. I guess the Google support page was accurate after all.

How Does This Gmail Feature Impact Email Security?

I can see the advantages of using this Gmail feature, since it enables users to manage multiple email addresses from one inbox. If I wanted to, I could use [email protected] to manage specific duties for, say, paperless credit card statements, and [email protected] for technical newsletters. This could help you gauge and track your spam emails, and it would give you an indication of who is potentially sharing your information.

You have the option to be incredibly specific by strategically placing periods before the @ symbol for an individual site. This could help you gauge the validity of potential phishing attacks as well. If you get an email addressed to [email protected] from the power company, but you knowingly used [email protected] for that account, you can quickly determine that it is phony. This is especially useful for sniffing out attempts to steal your credentials via phishing emails.

I can also see how this feature could help facilitate nefarious activities. In another experience, I received store rewards information for a different John Smith located thousands of miles away from me. From that scenario, I learned that companies often do not check their databases in relation to Gmail address. In this case, it would’ve allowed me to manage my awards account using [email protected], and since the other John Smith on the other side of the country sent me his rewards information, I could manage his account using [email protected], all from one inbox.

So as it turns out, I hadn’t suffered a cyberattack after all. I did learn a thing or two about email security, however. While there are certainly benefits to the Gmail feature that ignores periods in email addresses for common users, that same feature could lead to problems for users who don’t follow email security best practices.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today