Akankasha Dewan 01 April 2021 11:29:07 AEDT 5 MIN READ

Don’t be fooled by this Netflix-themed phishing email inviting you to ‘request a refund’

Popular entertainment company Netflix is once again the subject of a phishing email scam intercepted by MailGuard.

The email body informs users that the ‘last invoice statement for march 2021 was paid twice’. It invites users to request a refund within 12 hours via a provided link. While the email includes the company’s logo, it also contains multiple red flags that indicate it is not a genuine notification from the company. This includes a blank subject, and an inaccurately spelt display name, i.e. ‘Netlfix’. In addition, the recipient is not addressed directly. The email actually originates from a third-party that is using potentially compromised web hosting, as well as a dynamic DNS provider for the sending domain.

Here’s what the email looks like:


Unsuspecting recipients who click on the link to request a refund are led to an intermediary site hosted by BigCommerce that appears to be compromised. This site automatically redirects them to a login page asking users for their email address and password. As you can see from the screenshot below, this page is designed to look like a legitimate page belonging to Netflix:


Interestingly, the domain used in the page’s URL doesn’t belong to the company. This is actually a phishing page hosted on yet another potentially compromised web host using a Namecheap IP address. Once users “sign in” to their accounts, their credentials are harvested and they are led to a similar page asking for users’ credit card details. Here’s a screenshot of that page:


This is also a phishing page designed to harvest users' confidential banking information. After users input their details as required in the fields above, they are led to a Netflix-branded page asking them for a one-time code that may be sent to their phone.


Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to exercise caution when opening messages, and to be extra vigilant against this kind of cyber-attack. If you see an email from Netflix, please make sure it is a legitimate communication before you open it. Please share this alert with your social media network to help us make the people aware of the threat.

Netflix is a regular target for cybercriminals. Earlier this year, MailGuard detected a similar phishing email also impersonating the entertainment company. With more than 203 million subscribers worldwide, there’s a high likelihood that many of those that are receiving the email are subscribers and that a portion of those will be too time poor to check the details in the email. In fact, over the years, MailGuard has intercepted numerous Netflix-themed email scams, including in:

In this particular scam, cybercriminals have employed the following techniques to trick users:

  • The invitation of a refund to trick users; informing recipients that they are eligible for a refund motivate users to take action immediately without checking on the email’s authenticity, and

  • The inclusion of high-quality branding elements belonging to Netflix; As you can see from the screenshots above, cybercriminals have gone to great efforts to incorporate a similar colour scheme, logo, font and popular imagery commonly found on Netflix pages in a bid to convince users that the email is authentic, and that it actually originates from the entertainment company.

Besides the above, the inclusion of a one-time code at the end of the scam is also intentional. Safety features like these are normally expected from well-established organisations like Netflix, and its use is likely to boost the email’s credibility.

Despite these techniques, the phishing email scam contains multiple red flags that point to its illegitimacy. This includes the fact that the email doesn't address the recipient directly.

How to know if an email or text is actually from Netflix?

Netflix lists the following advice on its support page:

  • "We will never ask you to enter your personal information in a text or email. This includes:
    • Credit or debit card numbers
    • Bank account details
    • Netflix passwords

  • We will never request payment through a 3rd party vendor or website.

  • If the text or email links to a URL that you don't recognize, don't tap or click it. If you did already, do not enter any information on the website that opened."

More information can be found here: https://help.netflix.com/en/node/65674


As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from, and
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates