How a Quirky Gmail Feature Led to a Phishing Scare and a Valuable Lesson in Email Security

It happened one day out of the blue in mid-October. I received a notification that a trip was added to my personal Google calendar — destination: Cebu, Philippines. What? Did I just fall victim to a cyberattack?

I logged into my personal Gmail account and found an email with the travel itinerary. I started to panic, and thoughts of despair began to creep into my mind. How could I have booked a trip to the Philippines when I don’t even have a passport?

A Phishing Attack or a False Alarm?

I stared at my screen for a few moments trying to figure out what to do. I took a breath and thought back on all the discussions I had with my mentor about email security best practices and what to do in this scenario.

I started with the obvious things. I checked my credit cards and, to my relief, there was no charge for a trip. Then I checked the Have I Been Pwned database and didn’t find anything out of the ordinary. However, to be safe, I immediately changed my password.

I went back to the itinerary email and started reading through to make sure this wasn’t a phishing attempt. Rather than click on any of the hyperlinks in the email, I did a search to see if the travel site was legitimate. The site was legit, but I didn’t find anything to prove that it wasn’t a phishing email.

At the bottom of the email, I found two links in the fine print and started to investigate those for legitimacy. I read in the disclosure portion of the email that if I went to one of the links, I could make alterations to my itinerary and flight information. I started with that link to further my investigation. To my surprise, all I needed was a last name and a confirmation number, which was included in the email.

I was shocked at how easily I was able to get into the site with no login credentials. I had complete access to someone’s flight itinerary, among other data that probably should’ve been better protected. The deeper I dug into my issue, the more I empathized with the person taking the trip.

Why Periods Don’t Matter in Gmail Addresses

With enough information to assuage my fear that my identity was stolen, that concern gave way to curiosity. How did this happen? I started digging deeper into the email I received with the itinerary, and the tell-tale sign was there in the email header: On the “To:” line, I saw the following: “to: [email protected] (Yes, this is you).” Wait, what? I registered my username to be john.smith when I signed up, so how could this be me?

To rectify my curiosity, I clicked on the “Learn More” link that accompanied the aforementioned prompt. It took me to a Google support page that explained how Gmail does not recognize the periods before the @ symbol. How was I not aware of this Gmail feature?

I still wasn’t 100 percent convinced, so I did some of my own testing. I logged into my account using johnsmith instead of john.smith, and I was directed straight to my inbox. Next, I sent myself some test emails. I sent one to [email protected] and boom! It was in my inbox. I then logged into a competing free email service, sent an email to [email protected], and watched my inbox with great anticipation. After a few minutes, there it was. I guess the Google support page was accurate after all.

How Does This Gmail Feature Impact Email Security?

I can see the advantages of using this Gmail feature, since it enables users to manage multiple email addresses from one inbox. If I wanted to, I could use [email protected] to manage specific duties for, say, paperless credit card statements, and [email protected] for technical newsletters. This could help you gauge and track your spam emails, and it would give you an indication of who is potentially sharing your information.

You have the option to be incredibly specific by strategically placing periods before the @ symbol for an individual site. This could help you gauge the validity of potential phishing attacks as well. If you get an email addressed to [email protected] from the power company, but you knowingly used [email protected] for that account, you can quickly determine that it is phony. This is especially useful for sniffing out attempts to steal your credentials via phishing emails.

I can also see how this feature could help facilitate nefarious activities. In another experience, I received store rewards information for a different John Smith located thousands of miles away from me. From that scenario, I learned that companies often do not check their databases in relation to Gmail address. In this case, it would’ve allowed me to manage my awards account using [email protected], and since the other John Smith on the other side of the country sent me his rewards information, I could manage his account using [email protected], all from one inbox.

So as it turns out, I hadn’t suffered a cyberattack after all. I did learn a thing or two about email security, however. While there are certainly benefits to the Gmail feature that ignores periods in email addresses for common users, that same feature could lead to problems for users who don’t follow email security best practices.

Contributor'photo

Joseph Ries

Security Architect, IBM

I have been working in IT for almost 20 years. Started out on a small IT team at a small business which generally means...