Recently James Fisher received an email from Netflix asking him to update his credit card information.
“Odd,” I thought, “but OK, I’ll check.” The email is genuinely from
netflix.com, so I clicked the link. It logged me in and took me to an “Update your credit or debit card” page, which is genuinely hosted on
netflix.com. No phishing here. But hang on, the “Update” page showed my declined card as
**** 2745. A card number I don’t recognize. Checking my records, I’ve never seen this card number. What’s going on?
I finally realized that this email is to
firstname.lastname@example.org. I normally use
email@example.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses”
Whenever you’re implementing email addresses in your code, also beware for plussing when handling them. Additionally James also offers a nice idea, in which Gmail could prevent lots of these scams.