Light Dark
May 13, 2019 By Joseph Ries 3 min read
Data Protection
Fraud Protection
Identity & Access

It happened one day out of the blue in mid-October. I received a notification that a trip was added to my personal Google calendar — destination: Cebu, Philippines. What? Did I just fall victim to a cyberattack?

I logged into my personal Gmail account and found an email with the travel itinerary. I started to panic, and thoughts of despair began to creep into my mind. How could I have booked a trip to the Philippines when I don’t even have a passport?

A Phishing Attack or a False Alarm?

I stared at my screen for a few moments trying to figure out what to do. I took a breath and thought back on all the discussions I had with my mentor about email security best practices and what to do in this scenario.

I started with the obvious things. I checked my credit cards and, to my relief, there was no charge for a trip. Then I checked the Have I Been Pwned database and didn’t find anything out of the ordinary. However, to be safe, I immediately changed my password.

I went back to the itinerary email and started reading through to make sure this wasn’t a phishing attempt. Rather than click on any of the hyperlinks in the email, I did a search to see if the travel site was legitimate. The site was legit, but I didn’t find anything to prove that it wasn’t a phishing email.

At the bottom of the email, I found two links in the fine print and started to investigate those for legitimacy. I read in the disclosure portion of the email that if I went to one of the links, I could make alterations to my itinerary and flight information. I started with that link to further my investigation. To my surprise, all I needed was a last name and a confirmation number, which was included in the email.

I was shocked at how easily I was able to get into the site with no login credentials. I had complete access to someone’s flight itinerary, among other data that probably should’ve been better protected. The deeper I dug into my issue, the more I empathized with the person taking the trip.

Why Periods Don’t Matter in Gmail Addresses

With enough information to assuage my fear that my identity was stolen, that concern gave way to curiosity. How did this happen? I started digging deeper into the email I received with the itinerary, and the tell-tale sign was there in the email header: On the “To:” line, I saw the following: “to: johnsmith@gmail.com (Yes, this is you).” Wait, what? I registered my username to be john.smith when I signed up, so how could this be me?

To rectify my curiosity, I clicked on the “Learn More” link that accompanied the aforementioned prompt. It took me to a Google support page that explained how Gmail does not recognize the periods before the @ symbol. How was I not aware of this Gmail feature?

I still wasn’t 100 percent convinced, so I did some of my own testing. I logged into my account using johnsmith instead of john.smith, and I was directed straight to my inbox. Next, I sent myself some test emails. I sent one to johnsmith@gmail.com and boom! It was in my inbox. I then logged into a competing free email service, sent an email to j.o.h.n.s.m.i.t.h@gmail.com, and watched my inbox with great anticipation. After a few minutes, there it was. I guess the Google support page was accurate after all.

How Does This Gmail Feature Impact Email Security?

I can see the advantages of using this Gmail feature, since it enables users to manage multiple email addresses from one inbox. If I wanted to, I could use john.smith@gmail.com to manage specific duties for, say, paperless credit card statements, and johnsmith@gmail.com for technical newsletters. This could help you gauge and track your spam emails, and it would give you an indication of who is potentially sharing your information.

You have the option to be incredibly specific by strategically placing periods before the @ symbol for an individual site. This could help you gauge the validity of potential phishing attacks as well. If you get an email addressed to johnsmith@gmail.com from the power company, but you knowingly used j.ohnsmith@gmail.com for that account, you can quickly determine that it is phony. This is especially useful for sniffing out attempts to steal your credentials via phishing emails.

I can also see how this feature could help facilitate nefarious activities. In another experience, I received store rewards information for a different John Smith located thousands of miles away from me. From that scenario, I learned that companies often do not check their databases in relation to Gmail address. In this case, it would’ve allowed me to manage my awards account using john.smith@gmail.com, and since the other John Smith on the other side of the country sent me his rewards information, I could manage his account using johnsmith@gmail.com, all from one inbox.

So as it turns out, I hadn’t suffered a cyberattack after all. I did learn a thing or two about email security, however. While there are certainly benefits to the Gmail feature that ignores periods in email addresses for common users, that same feature could lead to problems for users who don’t follow email security best practices.

 |  |  |  |  |  | 
Joseph Ries
Security Architect, IBM

More from Data Protection
January 27, 2025

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

January 21, 2025

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

January 3, 2025

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature