Akankasha Dewan 24 January 2020 13:12:54 AEDT 5 MIN READ

Netflix brandjacked again; phishing email uses 3-step verification to trick users

3-step verification is a common digital safety feature used by many established brands to protect sensitive data of their customers online. Because of its widespread usage, it is, ironically, also a popular tool used by cybercriminals to trick unsuspecting users.

MailGuard intercepted a phishing email scam employing 3-step verification on the 23rd  of January morning (AEST).

Purporting to come from popular entertainment company Netflix, the email is actually sent from a single compromised email address. The email body begins with a header titled ‘Account Informations Update’ and contains a greeting supposedly from ‘Netflix Help Center’. It informs recipients that as their ‘billing information has been modified’, they are required to update their accounts ‘in next 24h’ or risk their accounts being suspended. A link is provided for them to do so, supposedly to Netflix’s ‘online help centre’.

Here is a screenshot of the email:

netflix_2301 edited


Unsuspecting recipients who click on the link are led to a fake Netflix-branded login page which directs them to login to their accounts. This is actually a phishing page

Here’s a screenshot of the page:  

Netflix 2401_1

Upon ‘logging in’, users are led to another page featuring Netflix branding. This page is titled ‘Update Your Payment Information’ and asks users for their billing details.

Here is a screenshot of the page:

Netflix 2401_2

Clicking on each of these options then leads the recipients to fake login pages containing the branding of the email provider selected, as per the below:

Upon filling in all the fields and clicking ‘update payment method’, users are shown a window that informs them they will ‘need to pass a 3-step verification’ in order to continue, as per below.

Netflix 2401_3

Once this page finishes loading, users are asked to ‘enter the password displayed’ in their mobile phones or device. They are asked to do this three different times, as per the below.

Netflix 2401_4

Netflix 2401_5

Netflix 2401_6

At the end of ‘Step 3’, users are informed that they have successfully updated their information at Netflix, and they are redirected to the legitimate Netflix page.

Netflix 2401_7

The sole purpose behind this elaborate scam is to steal Netflix users’ email addresses and passwords, along with their credit card & other personal details.

As you can see from the fake log-in page above, cybercriminals have taken great pains to incorporate the exact colour scheme, logo, fonts and popular images commonly found in Netflix pages in a bid to convince the user that the email is actually originating from the entertainment company. As mentioned above, they have also employed 3-step verification as part of this scam. This only adds on to the sense of legitimacy evoked by the email as such a detailed and secure process is expected of a well-established company like Netflix. All this serves to elicit a more confident response from recipients who think they are, in fact, making their accounts more secure by clicking on the provided link and entering their confidential login details.    

However, while the email incorporates the branding and logo of the company, it contains several red flags for anyone who is vigilant enough to spot fake email scams.

Firstly, there are several grammatical and spelling errors within the body, such as ‘Account Informations Update’. In addition, the email provided in the ‘from’ field also doesn’t include the Netflix domain.

Netflix is a regular target for cybercriminals. With more than 158 million paid streaming subscribers worldwide, there’s a high likelihood that many of those that are receiving the email are subscribers and that a portion of those will be too time poor to check the details in the email. Netflix was also targeted with similar scams reported by MailGuard in DecemberSeptember and November last year.

MailGuard urges all recipients of this email to delete it immediately without clicking on any links. If you see an email from Netflix, please exercise caution and make sure it is a legitimate communication before you open it. Please share this alert with your social media network to help us make the people aware of the threat.

To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that:

  • Appear to be from a well-known organisation, typically a bank or service provider and are not addressed to you by name and may include poor grammar.
  • Ask you to click on a link within the email body in order to access their website. If unsure call the company directly and ask whether the email is legitimate
  • Offer money, reward or gift to entice you to hand over your personal details
  • Ask you to submit personal information that the sender should already have access to or should not be requesting from you in the first place

Stop email fraud

Cybercriminals know we can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.

People aren't machines; we're all capable of making bad judgement calls. Without email filtering protecting your inbox, it’s all too easy to have a momentary lapse of judgement and click on the wrong thing.

For a few dollars per month, you can protect your inbox with MailGuard's predictive email security.

Talk to an expert at MailGuard today about making your email secure: click here.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates