FTC Warns Users to be on the Lookout for New Netflix Phishing Scam

Threat Alert

On 26 December, the FTC published a notice after the City of Solon police department first shared a screenshot of the scam. The ruse begins when a user receives an email from what appears to be Netflix informing them that the streaming service is “having some trouble with [their] current billing information.” The email directs the recipient to click on an “UPDATE ACCOUNT NOW” button. Clicking on the link doesn’t bring the user to Netflix, however. It redirects them to a young domain hosting a phishing page that’s designed to steal their Netflix credentials. If successful, bad actors can then attempt to reuse those stolen details across other web services and compromise other valuable accounts.

Like in many phishing attacks, this scam uses official logos to lure users into a false sense of trust. But certain elements do give away the email as a fake. First, the email includes a sending address that does not spoof Netflix.com to try to outsmart simple SPF filtering. Second, it does not address the customer by name but instead begins with “Hi Dear,” an inappropriate and highly suspect salutation for legitimate business correspondence. Third, it uses British English to inform users that they have the option of visiting a “Help Centre.” This language choice, which might signify the scam’s international reach, should give American users pause if Netflix hasn’t previously employed British English to communicate with them.

Not surprisingly, this isn’t the first Netflix phishing scam to target users. It’s not even the first to emerge in 2018. There were at least three other campaigns that arose over the course of the year:

  • In January, the Grand Rapids Police Department shared a screenshot on Facebook of another Netflix-themed ruse informing a user that the streaming service had slated their account for deactivation because it “could not validate billing information.” To rectify this alleged issue, the scam directed the user to click on a link and enter in their personal information including their payment card details.
  • ISC Handler Dr. Johannes B. Ullrich discovered a large number of Netflix-related phishing emails in March. These emails all linked to websites running WordPress or Drupal, CMS software which digital attackers likely compromised to stage their attacks. To add legitimacy to their phishing pages, the bad actors obtained TLS certificates for Netflix-related hostnames and domains.
  • Action Fraud drew attention to the third phishing campaign in September. Like the attacks that came before it, this scheme notified users that there was an issue with their account or that their account had been suspended. It then instructed users to update their account information by visiting genuine-looking phishing pages.

Netflix is aware of the most recent phishing campaign and is actively working to counter these bad actors. As a representative for the streaming service told Variety:

We take the security of our members’ accounts seriously and Netflix employs numerous proactive measures to detect fraudulent activity to keep the Netflix service and our members’ accounts secure. Unfortunately, scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information.

To protect their employees against these types of threats, organizations should invest in security awareness training around the common indicators of a phishing attack and set up processes through which workers can report scams. They should also implement a security solution like ZixProtect that can adequately defend against phishing attacks. In this campaign, ZixProtect blocked 100 percent of the emails with filters dating back to October of 2017. ZixProtect’s Link Protection might have also matched some filters while the phishing domain was still online.

Learn why multi-layered protection is the best defense against phishing attacks.