Nearly 2 billion people use the free Gmail email service from Google, which rightly boasts plenty of measures to protect user privacy and secure accounts from malicious activity. With more than 300 billion emails flowing through the service every day, you might be surprised to learn that one simple mistake could wreck all of that and expose your email messages to complete strangers. Making this mistake not only compromises your privacy, but also has the potential to compromise account security beyond the boundary of just email. Stop being ‘clever’ with your email address or you could be leaking confidential information like a sieve.
Gmail Security Is Top Notch
It’s not just cybercriminals, hackers or even family members, who comprise a threat to your email; your biggest enemy could actually be yourself. Unlocking the door to your inbox, and especially your Gmail inbox given how it is the most widely used of email providers, is a prime target for those looking to get hold of everything from account login credentials to confidential personal information. Luckily, Gmail has some of the best security measures to ensure your inbox remains private and would-be snoopers are kept at bay.
Google’s Advanced Protection Program, of interest mostly to high-risk users such as politicians, activists and journalists, provides the most secure option for ensuring only you can access your account. In July, Google made this an even more attractive security option by doing away with the need to purchase expensive hardware keys and instead opening the program up to users with passkeys as well.
Then there’s the use of AI large language models to protect Gmail users from malware and spam, capable of detecting twice as much malware than bog-standard third-party antivirus and security products, according to Google. And talking of spam and malware, Google has also implemented strict authentication for bulk senders of email to Gmail users in an effort to further dilute the risk of malicious messages getting through.
So, whats the one thing that some Gmail users are doing that can drive a huge hole straight through much of this protection? The answer is try to be clever with addressing.
Don’t Mess Around With Your Gmail Address
Both my inbox and online Gmail support groups, be that the official Google one or over one Reddit, are testament to the fact that people like to be clever with their email addressing and often end up making a huge mistake when it comes to privacy and security as a result.
I know all too well how someone can fall foul of this mistake without having any idea that they have, from my own personal experience. I used to have a Gmail account of the [email protected] variety which I used as an alias for certain investigative journalism activities many years ago. Any incoming email addressed to this account was automatically forwarded to another account which I monitor more often. Over time, that alias address became forgotten about and was even purged from my password manager. I have no way of accessing it now even if I wanted to, and so no way of disabling that forwarding rule. Which is a shame, because someone with the same [email protected] account thought they were being clever and turning it into, effectively, a number of specific family member accounts by using a dotted version of first [email protected] instead.
This trick has often be used by people who wanted to see where unwanted marketing emails were originating by using something like [email protected], [email protected], [email protected] and so on. The issues start when you realize, as Google makes quite clear in a support document, that dots don’t matter in Gmail addresses so if your email is [email protected], you own all the dotted versions of that address. Which means you’d get email messages addressed to [email protected] for example. Still not a huge issue yet as it would be quite a coincidence were this to impact you, given all the potential combinations out there. However, if you owned [email protected] and someone who owned [email protected] decided to use a dotted address of [email protected] you would get a copy of all those messages because as far as Google is concerned [email protected] and [email protected] are one and the same address, owner, account.
“If anyone tries to create a Gmail account with a dotted version of your username,” Google said, “they’ll get an error saying the username is already taken.” But [email protected] and [email protected] are not the same, and that’s where the confusion lies: adding the dotted name to the latter leaves your incoming emails exposed to the owner of the undotted full name.
Mitigating The Privacy Problem Of Using Dotted Addresses
I should point out that, of course, this could come under the broader remit of forwarding email to an incorrect email address, a typo, and as such applies to any email platform rather than being an underlying Gmail security issue. However, not all email providers will treat dotted addresses in the same way so it’s worth checking with yours to see if it’s the case or not. Better still, just don’t do it at all. Apple users can make use of the Hide My Email which generates unique, random email addresses that are forwarded automatically to your personal inbox. My preferred email client, Proton Mail, also has a hide-my-email alias feature that works in the same way.
I approached Google for comment and a spokesperson pointed me towards the Dots don’t matter in Gmail addresses support document mentioned earlier. If you get an email that is obviously meant for someone else, Google suggests notifying the sender saying that they have the wrong address, and reporting anything that might be suspicious as spam or a phishing message. Obviously, do not click on any links in such emails. I would also suggest sending an email to the recipient who has made the mistake in using a dotted address so they are aware of the problem. This is what I did, but the messages still kept on coming so I created a filter rule that deleted them on arrival.