Home Advice & How-ToSafety Spotting the Dangerous Netflix Scam Email
Home Advice & How-ToSafety Spotting the Dangerous Netflix Scam Email

Spotting the Dangerous Netflix Scam Email

by Fred Decker

“Netflix and chill” has always been a pretty good entertainment option — that’s how the company got to be as successful as it is — but it became even more so during 2020.  When COVID took the option of going out to concerts, movies or bars off the table, people turned to the streaming giant (and its competitors) even more than before. 

Of course, some criminals viewed our collectively renewed reliance on Netflix as an opportunity.  An especially skillful and dangerous Netflix scam email began to circulate in mid-summer 2020, and it’s still making the rounds.  It’s a classic phishing attack, but executed well enough to fool even a wary user if you don’t know what signs to look out for. 

The Netflix Scam Email

The unusually sophisticated phishing email was described by email security provider Armorblox in late July 2020.  The email claims to come from Netflix Support, and although the language isn’t exactly like real Netflix emails, it’s not obviously wrong either.  The pitch is that there’s been an error in attempting to process your most recent payment, and that you need to update your payment information.  There’s a link provided, and a warning that if you don’t respond within the grace period your account will be suspended. 

Spokeo logo

Who's Calling Me?

Search any phone number to learn more about the owner!

If you click the link, you’ll be taken to a functioning CAPTCHA page where you have to type in the characters you see in the box before you can proceed.  Once you’ve verified that you’re human, a very realistic Netflix sign-in page will load.  When you enter in your email or phone number and your Netflix password, you’ll be taken to another very legitimate-looking page where you’re prompted to enter in your name, date of birth, billing address and other personal information.  Finally, you’ll enter in your updated billing information. 

At this point, having successfully carried out the Grand Slam of phishing attacks, the scammers redirect you to the legitimate Netflix login page.  Some versions of the email may also include what appears to be a text attachment, which — if downloaded — can add insult to injury by installing ransomware or malware on your computer as well. 

What Makes This Scam Dangerous (and Hard to Spot)

This specific email, and the fake web pages associated with it, demonstrated a sophisticated understanding of how anti-phishing measures work and how they can be circumvented.  Email providers typically scan the links in emails to check for dubious pages, but starting with a legitimate CAPTCHA page bypasses that protection (and has the added benefit of making victims feel that everything is above board).  You don’t get redirected to the actual phishing pages until you’ve completed the CAPTCHA, so those URLS are hidden. 

The attackers also covered their traces by hiding their phishing pages on domains owned by legitimate websites, which thwarts another test used to detect phishing attacks.  Finally, the overall look and feel of the pages themselves showed an unusual level of skill and craft.  They were not completely perfect, but they were very close indeed to matching the look and feel of Netflix’s own pages. 

Identifying the Phishing Email

That being said, if you already know the telltale signs of phishing emails, you’ll find them in this case as well.  The first is simply that almost all emails reporting a problem with your payment, or warning that your account will be shut down if you don’t respond, are scams.  Netflix itself will never ask you for personal information via a text or email.  A second is that the scam email probably won’t be from an official netflix.com email address (though those can sometimes be spoofed, so it’s not a certainty). 

A more telling giveaway comes when you’ve clicked through to the actual phishing pages, where your personal and billing information are harvested.  If you look at the address bar in the top of your browser window, you’ll see that you’re not on a netflix.com page.  The site’s URL will vary, and it might sound somewhat Netflix adjacent, but it’s not a Netflix page.  At that point, no matter how convincing it looks, you’ll know you’re in the wrong place. 

What To Do Next

If you’ve received one of these emails, you can forward it to phishing@netflix.com.  If your email is rejected, that just means the company has already been notified about that specific variant of the email.  Don’t click on any of the links, even from morbid curiosity (malware is always a risk). 

If you have already fallen victim to this attack, you’ll need to act quickly.  Start by reporting it to the FTC’s IdentityTheft.gov website.  Aside from making the authorities aware of your case, it provides you with a step-by-step recovery plan you can follow to minimize the damage and help restore your good credit as quickly as possible.  You should also report the incident to the FBI’s Internet Crime Complaint Center (IC3).  Posting about it on the Better Business Bureaus Scam Tracker and your own social media feeds may help someone else avoid being scammed. 

Next you’ll need to take several practical steps to limit the damage and begin recovery (your FTC recovery plan will walk you through this).  Start by setting up a fraud alert or credit freeze with each of the three credit-reporting agencies, and informing them that you’ve been a victim of identity theft.  Talk to your bank or credit provider about setting up a new account or card to replace the one that’s been compromised.  If you have identity protection through a Spokeo subscription, set up Dark Web monitoring to let you know when criminals offer your ID for sale on the Web’s seamy underbelly.  Finally, watch for the handful of common, telltale signs that your identity’s been exploited

Forewarned Is Forearmed

Although the Netflix email scam was executed with an uncommon level of skill, it still follows the same pattern as most other phishing emails: impersonating an authority of some sort, creating urgency through a deadline and the fear of losing out and then providing a link to “fix” your problem.  If you’re familiar with the pattern and watch for it, it’s hard to be fooled (a bear in a top hat and tux is still recognizably a bear, after all). 

A more important rule is that you never, ever click the link in the email (or text).  If you suspect there might be a legitimate issue (or you just want to rule out the possibility), log into Netflix the usual way and then click through to your account settings.  You can also check your account statements to verify that the most recent payment went through without a problem, or — if in doubt — reach out to Netflix directly to identify and correct any potential issue.  

If you take those basic precautions, you’ll sharply reduce the likelihood of ever falling victim to this or any other phishing scheme.