Netflix scam tricks Gmail users by exploiting “dots-don’t-matter” quirk

A Gmail quirk could open up users who have a dot in their email address to phishing attacks.

Google’s email service famously doesn’t recognise dots in email addresses. As the company explains, “If someone accidentally adds dots to your address when emailing you, you’ll still get that email. For example, if your email is johnsmith@gmail.com, you own all dotted versions of your address.”

This means that, if someone was to email john.smith@gmail.com or even j.o.h.n.s.m.i.t.h@gmail.com, the message would still be sent to johnsmith@gmail.com.

However, other sites and services, such as Netflix, do recognise dots in email addresses, and would consider an account registered to johnsmith@gmail.com and an account registered to john.smith@gmail.com to be completely separate. That’s a potential problem.

As reported by the Register, this discrepancy almost tricked a developer, called James Fisher, into adding his card details to someone else’s Netflix account.

He received a legitimate email from Netflix earlier this year, telling him his account was on hold and advising him to update his payment details. However, when he followed through and took a closer look, he noticed that the card number associated with the account was not his.

“I finally realized that this email is to james.hfisher@gmail.com. I normally use jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because ‘dots don’t matter in Gmail addresses,’” he wrote.

The james.hfisher@gmail.com-backed Netflix account had been created in September 2017, whereas Fisher’s actual Netflix account has been up and running since 2013. Since you don’t need to verify the email address associated with a Netflix account when you first sign up, you can start watching shows straight away.

Fisher, who has branded dots-don’t-matter a “misfeature”, says it leaves users vulnerable to scammers.

To exploit the confusion around it, all they’d need to do is find a Gmail address that’s already registered on Netflix, create a Netflix account using that email address, only with dots added in, sign up for a free trial using a “throwaway” card number, then cancel the card.

In response, Netflix would email the real Gmail account user, asking for their payment details. Unless they were really alert, they’d then unwittingly add their payment information to the scammer’s Netflix account.

“The Gmail team should combat this kind of phishing. They should officially acknowledge that dots-don’t-matter is a misfeature,” Fisher continued.

“Each Google account should have one variant configured as its standard address; I would set jameshfisher@gmail.com as standard, and maybe John would set john.smith@gmail.com as standard. If an email is sent to a non-standard address, it should be shown with a warning.

“Finally, Gmail users should be able to opt out of dots-don’t-matter. I wish for any mail sent to james.hfisher@gmail.com to bounce instead of reaching my inbox. The dots-don’t-matter feature should be disabled by default for any new Google accounts, and eventually retired.”

A Netflix spokesperson told Trusted Reviews: “We are aware of this Gmail-specific feature and are actively working on measures to protect against it being used in a malicious way toward Netflix and our members. Netflix members who want to learn more about how to keep their personal information safe against scams and other malicious activity can go to netflix.com/security and should contact Customer Service immediately if they notice anything that is out of the ordinary with their account.”

We’ve also contacted Google, and will update this article when we hear back.

Do you find dots-don’t-matter useful? Share your thoughts and concerns on Twitter @TrustedReviews.

Privacy Settings