MailGuard 10 October 2022 15:46:10 AEDT 13 MIN READ

Netflix customers given “Last Reminder” in new email phishing scam

Have you received an email which claims to be from Netflix that says that they were “unable to validate your billing information for the next billing cycle of your subscription”? It may be a new email phishing scam which targets unsuspecting customers and attempts to steal their account credentials, credit card details and personal information.  

MailGuard is now blocking this email from landing in our customers’ inboxes, but this isn’t the first time we’ve seen a scam like this. We reported on a similar scam in January 2022, and again in November 2021 

The subject line reads “Last reminder !”, and the sender name shows “No_reply” or “The Netflix Team”. However, the sender email address shows “grafica(at)tosconova(dot)com”, which appears to belong to a legitimate Italian furniture business. The domain is associated with ActiveCampaign, which is an email campaign platform. Given the business’s address is shown in the signature at the bottom of the email, it suggests that their ActiveCampaign account has been compromised.  

The email uses Netflix branding and begins with a generic “Dear user”, before continuing on to explain that the recipient’s billing information needs to be validated within the next 48 hours, or their membership will be suspended. The user is then instructed to click a button which says, “Verify Now”.  

Although the email has a number of grammatical errors and slightly unusual verbiage, concern about their account being cancelled may cause a genuine Netflix customer to overlook the red flags.   

Here’s a copy of an email that we intercepted:  


Clicking the button to verify their account details directs the customer to a phishing site which looks quite similar to the login page used by Netflix. The background shows a number of different titles that are available on Netflix, although a key difference is that the names of the movies and shows are written in French. The cybercriminal has taken care to create a URL which shows “myaccount-netflix” to try and con more victims, but this website is not associated with Netflix.  

On this page, the user is asked for their email address or phone number, and their password for their Netflix account. These details will be harvested by the cybercriminal and saved for later use.   image 2-4

On the next page, the victim is instructed to update their credit card details.  

They’re asked for the following information: 

  • Name Card 
  • Card Number 
  • Date Expired 
  • CVV 


Once again, the titles for each field are phrased in an unusual way, but with how commonplace forms like this have become, this detail could easily be missed.  

image 3-3

When the victim clicks ‘Next’, they’re shown a loading screen which includes Netflix branding and warns them not to close the window before completing the next step.

image 4-2

Once the victim’s credit card details have been confirmed, they’re asked to enter more personal information, including:  

  • Full Name 
  • Address 
  • Phone Number 
  • Code Zip 
  • E-mail  

image 5-1

The recipient is then prompted to enter a one-time password (OTP) that has been sent to their mobile number in order to verify a transaction.  

image 6-1

An error appears that warns that the OTP is wrong or expired, and after 3 incorrect attempts, their credit card will be blocked.  

image 7

Netflix is a popular target for impersonation by scammers, who leverage the streaming giant’s trusted name and enormous subscriber count, which totals more than 220 million people worldwide.  

Netflix offers the following advice to customers:  

  • We will never ask you to enter your personal information in a text or email. This includes: 
  • Credit or debit card numbers 
  • Bank account details 
  • Netflix passwords 
  • We will never request payment through a 3rd party vendor or website. 
  • If the text or email links to a URL that you don't recognize, don't tap or click it. If you did already, do not enter any information on the website that opened. 

MailGuard advises all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your business and its’ financial well-being.     

MailGuard urges users not to click links or open attachments within emails that:       

  • Are not addressed to you by name.       
  • Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.       
  • Are from businesses that you were not expecting to hear from, and/or       
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.      

Many businesses turn to MailGuard after an incident or a near miss, often as a result of an email similar to the one shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.  

Reach out to our team for a confidential discussion by emailing or calling 1300 30 44 30.

One email is all that it takes     

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

Keep Informed with Weekly Updates