Light Dark
May 13, 2019 By Joseph Ries 3 min read
Data Protection
Fraud Protection
Identity & Access

It happened one day out of the blue in mid-October. I received a notification that a trip was added to my personal Google calendar — destination: Cebu, Philippines. What? Did I just fall victim to a cyberattack?

I logged into my personal Gmail account and found an email with the travel itinerary. I started to panic, and thoughts of despair began to creep into my mind. How could I have booked a trip to the Philippines when I don’t even have a passport?

A Phishing Attack or a False Alarm?

I stared at my screen for a few moments trying to figure out what to do. I took a breath and thought back on all the discussions I had with my mentor about email security best practices and what to do in this scenario.

I started with the obvious things. I checked my credit cards and, to my relief, there was no charge for a trip. Then I checked the Have I Been Pwned database and didn’t find anything out of the ordinary. However, to be safe, I immediately changed my password.

I went back to the itinerary email and started reading through to make sure this wasn’t a phishing attempt. Rather than click on any of the hyperlinks in the email, I did a search to see if the travel site was legitimate. The site was legit, but I didn’t find anything to prove that it wasn’t a phishing email.

At the bottom of the email, I found two links in the fine print and started to investigate those for legitimacy. I read in the disclosure portion of the email that if I went to one of the links, I could make alterations to my itinerary and flight information. I started with that link to further my investigation. To my surprise, all I needed was a last name and a confirmation number, which was included in the email.

I was shocked at how easily I was able to get into the site with no login credentials. I had complete access to someone’s flight itinerary, among other data that probably should’ve been better protected. The deeper I dug into my issue, the more I empathized with the person taking the trip.

Why Periods Don’t Matter in Gmail Addresses

With enough information to assuage my fear that my identity was stolen, that concern gave way to curiosity. How did this happen? I started digging deeper into the email I received with the itinerary, and the tell-tale sign was there in the email header: On the “To:” line, I saw the following: “to: johnsmith@gmail.com (Yes, this is you).” Wait, what? I registered my username to be john.smith when I signed up, so how could this be me?

To rectify my curiosity, I clicked on the “Learn More” link that accompanied the aforementioned prompt. It took me to a Google support page that explained how Gmail does not recognize the periods before the @ symbol. How was I not aware of this Gmail feature?

I still wasn’t 100 percent convinced, so I did some of my own testing. I logged into my account using johnsmith instead of john.smith, and I was directed straight to my inbox. Next, I sent myself some test emails. I sent one to johnsmith@gmail.com and boom! It was in my inbox. I then logged into a competing free email service, sent an email to j.o.h.n.s.m.i.t.h@gmail.com, and watched my inbox with great anticipation. After a few minutes, there it was. I guess the Google support page was accurate after all.

How Does This Gmail Feature Impact Email Security?

I can see the advantages of using this Gmail feature, since it enables users to manage multiple email addresses from one inbox. If I wanted to, I could use john.smith@gmail.com to manage specific duties for, say, paperless credit card statements, and johnsmith@gmail.com for technical newsletters. This could help you gauge and track your spam emails, and it would give you an indication of who is potentially sharing your information.

You have the option to be incredibly specific by strategically placing periods before the @ symbol for an individual site. This could help you gauge the validity of potential phishing attacks as well. If you get an email addressed to johnsmith@gmail.com from the power company, but you knowingly used j.ohnsmith@gmail.com for that account, you can quickly determine that it is phony. This is especially useful for sniffing out attempts to steal your credentials via phishing emails.

I can also see how this feature could help facilitate nefarious activities. In another experience, I received store rewards information for a different John Smith located thousands of miles away from me. From that scenario, I learned that companies often do not check their databases in relation to Gmail address. In this case, it would’ve allowed me to manage my awards account using john.smith@gmail.com, and since the other John Smith on the other side of the country sent me his rewards information, I could manage his account using johnsmith@gmail.com, all from one inbox.

So as it turns out, I hadn’t suffered a cyberattack after all. I did learn a thing or two about email security, however. While there are certainly benefits to the Gmail feature that ignores periods in email addresses for common users, that same feature could lead to problems for users who don’t follow email security best practices.

 |  |  |  |  |  | 
Joseph Ries
Security Architect, IBM

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature