|I recently received an email from Netflix which nearly caused me to add my card details to someone else’s Netflix account. Here I show that this is a new kind of phishing scam which is enabled by an obscure feature of Gmail called “the dots don’t matter”. I then argue that the dots do matter, and that this Gmail feature is in fact a misfeature. Finally I’ll suggest some ways the Gmail team can combat such scams in future. But first, I’ll show you the email:|
“Odd”, I thought, “but OK, I’ll check”. The email is genuinely from netflix.com, so I clicked the link. It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as **** 2745. A card number I don’t recognize. Checking my records, I’ve never seen this card number. What’s going on?
I finally realized that this email is to email@example.com. I normally use firstname.lastname@example.org, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses“: If someone accidentally adds dots to your address when emailing you, you’ll still get that email. For example, if your email is email@example.com, you own all dotted versions of your address.
To carry on reading, please visit: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html