MailGuard has intercepted a new phishing email campaign impersonating Netflix and attempting to harvest users’ login credentials, credit card details and highly sensitive personal information.
The email claims that the recipient’s Netflix account has been locked due to a problem with their payment method and urges them to update their billing information to avoid service interruption.
How the scam works
While the branding appears convincing, the email is sent from an unrelated domain. Clicking the prominent “UPDATE PAYMENT METHOD” button takes victims to a phishing site designed to look like Netflix, but hosted on a non-Netflix domain.
Step 1: The phishing email
Victims receive an email stating that their Netflix account has been locked due to a payment issue and that they must update their payment method to restore access.
The attacker is attempting to create urgency and fear of service disruption so the victim clicks through without questioning the message.
Step 2: Fake Netflix sign-in prompt
The link opens a page that closely mimics the Netflix sign-in experience, asking the user to enter their email address or mobile number.
The attacker is attempting to capture a valid email address that can be tied to the victim’s Netflix and other online accounts.
Step 3: Password capture
After entering an email address, the victim is taken to a second page that asks them to enter their password to continue.
The attacker is attempting to steal the victim’s Netflix password, which may also be reused across other services and business systems.
Step 4: Payment and identity theft
The scam then escalates to a detailed “Set up your credit or debit card” page, requesting card number, expiry, CVV, name on card, phone number, date of birth, mother’s maiden name, Social Security Number (SSN), and full address details.
The attacker is attempting to collect complete financial and identity data that can be used for fraudulent transactions, identity theft and further account takeovers.
Step 5: Fake confirmation and redirect
A final “All Set” confirmation page appears, stating that the account has been successfully unlocked and billing information updated, before redirecting the victim to the legitimate Netflix site.
The attacker is attempting to reduce suspicion by ending the journey on the real Netflix website, making it less likely that victims will immediately realise their details have been stolen.
This campaign is designed as a multi-step phishing flow that feels like a normal Netflix account recovery and billing update process, while silently exfiltrating sensitive information at each stage.
Key indicators of the threat
-
Sender domains such as autosregio.com and magnufi.com are not associated with Netflix
-
Emails use display names like Netflix Membership, Netflix Security and Netflix.com to appear legitimate
-
Phishing pages are hosted on a non-Netflix domain (for example, aflix.e2childcare.com) rather than netflix.com
-
Requests for email address, password, full credit card details, SSN, date of birth and mother’s maiden name
-
Multi-step login and billing pages styled to mimic Netflix but delivered from unfamiliar URLs
- Final confirmation page that redirects to the legitimate Netflix site to mask the attack
Why this matters for businesses
This campaign is particularly dangerous for organisations where staff use Netflix accounts linked to corporate email addresses, shared credentials or business payment methods. A successful compromise can allow attackers to:
-
Access corporate email accounts if employees reuse passwords across services
-
Make fraudulent charges using business credit cards or shared payment instruments
-
Use stolen personal information to impersonate staff in social engineering and BEC attacks
-
Target the organisation with further phishing attempts using harvested credentials
-
Build detailed identity profiles that can be exploited for account takeovers across other business platforms
Even when Netflix is used purely for personal purposes, the reuse of passwords and overlap of email addresses between consumer and business services means a single successful phishing can become an entry point into corporate environments.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or misses crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
