large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Netflix scam tricks Gmail users by exploiting “dots-don’t-matter” quirk

A Gmail quirk could open up users who have a dot in their email address to phishing attacks.

Google’s email service famously doesn’t recognise dots in email addresses. As the company explains, “If someone accidentally adds dots to your address when emailing you, you’ll still get that email. For example, if your email is johnsmith@gmail.com, you own all dotted versions of your address.”

This means that, if someone was to email john.smith@gmail.com or even j.o.h.n.s.m.i.t.h@gmail.com, the message would still be sent to johnsmith@gmail.com.

However, other sites and services, such as Netflix, do recognise dots in email addresses, and would consider an account registered to johnsmith@gmail.com and an account registered to john.smith@gmail.com to be completely separate. That’s a potential problem.

As reported by the Register, this discrepancy almost tricked a developer, called James Fisher, into adding his card details to someone else’s Netflix account.

He received a legitimate email from Netflix earlier this year, telling him his account was on hold and advising him to update his payment details. However, when he followed through and took a closer look, he noticed that the card number associated with the account was not his.

“I finally realized that this email is to james.hfisher@gmail.com. I normally use jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because ‘dots don’t matter in Gmail addresses,’” he wrote.

The james.hfisher@gmail.com-backed Netflix account had been created in September 2017, whereas Fisher’s actual Netflix account has been up and running since 2013. Since you don’t need to verify the email address associated with a Netflix account when you first sign up, you can start watching shows straight away.

Fisher, who has branded dots-don’t-matter a “misfeature”, says it leaves users vulnerable to scammers.

To exploit the confusion around it, all they’d need to do is find a Gmail address that’s already registered on Netflix, create a Netflix account using that email address, only with dots added in, sign up for a free trial using a “throwaway” card number, then cancel the card.

In response, Netflix would email the real Gmail account user, asking for their payment details. Unless they were really alert, they’d then unwittingly add their payment information to the scammer’s Netflix account.

“The Gmail team should combat this kind of phishing. They should officially acknowledge that dots-don’t-matter is a misfeature,” Fisher continued.

“Each Google account should have one variant configured as its standard address; I would set jameshfisher@gmail.com as standard, and maybe John would set john.smith@gmail.com as standard. If an email is sent to a non-standard address, it should be shown with a warning.

“Finally, Gmail users should be able to opt out of dots-don’t-matter. I wish for any mail sent to james.hfisher@gmail.com to bounce instead of reaching my inbox. The dots-don’t-matter feature should be disabled by default for any new Google accounts, and eventually retired.”

A Netflix spokesperson told Trusted Reviews: “We are aware of this Gmail-specific feature and are actively working on measures to protect against it being used in a malicious way toward Netflix and our members. Netflix members who want to learn more about how to keep their personal information safe against scams and other malicious activity can go to netflix.com/security and should contact Customer Service immediately if they notice anything that is out of the ordinary with their account.”

We’ve also contacted Google, and will update this article when we hear back.

Do you find dots-don’t-matter useful? Share your thoughts and concerns on Twitter @TrustedReviews.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.