If someone accidentally adds dots to your address when emailing you, you’ll still get that email. For example, if your email is johnsmith@gmail.com, you own all dotted versions of your address:

• john.smith@gmail.com
• jo.hn.sm.ith@gmail.com
• j.o.h.n.s.m.i.t.h@gmail.com

The intention of this is good but it also opens a door for a phishing scam. Here is an example.

James Hfisher received an email from Netflix asking him to update his payment details.

Since the email is genuinely from Netflix, he clicked the link. It logged him in and directed him to an “Update your credit or debit card” page, which again is genuinely hosted on Netflix. No phishing spotted so far.

But then, he found that he doesn’t recognize the credit card number shown on the Update page, never seen that number and certainly never used one. What’s going on?

James finally realized that the email was sent to james.hfisher@gmail.com with a dot in it while the one he uses doesn’t. The email was supposed to be bounced but instead, it ended up in James’ inbox, thanks to Gmail’s dots don’t matter feature.

Here is how this runs down, concluded by James eventually.

1. Hammer the Netflix signup form until you find angmail.com address which is “already registered”. Let’s say you find the victim,jameshfisher
2. Create a Netflix account with address,james.hfisher.
3. Sign up for a free trial with a throwaway card number.
4. After Netflix applies the “active card check”, cancel the card.
5. Wait for Netflix to bill the canceled card. Then Netflix emailsjames.hfisher for a valid card.
6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card,**** 1234.
7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
8. Use Netflix free forever with Jim’s card **** 1234!

So, dots do matter in some cases.

/via James Hfisher/