MailGuard 27 August 2021 15:43:55 AEST 12 MIN READ

Scam Alert: Fear Not, Your Netflix Membership is Not Being Cancelled

Scammers have once more targeted customers of popular streaming service, Netflix, falsely warning victims that their membership is going to be cancelled. Entertainment services such as Netflix are a popular target for cybercriminals, as they try to steal the credentials of millions of users to sell on the dark web, and to use in follow-on criminal campaigns. 

MailGuard reported on similar phishing attempts impersonating Netflix this year, twice in February and again in April 

Using the sender display name as either ‘Support Inc’ or ‘-NETFLIX-’, the email carries the subject line, ‘Your Netflix membership is about to be canceled!’, while the email body includes Netflix branding and colour pallet, using the brands’ ‘red’ in order to create a sense of urgency  and prompting recipients to click on the ‘Your Account’ link. The message claims that the users service has been interrupted due to an inability to authorise credit card details.  

Here’s what the email looks like:  

Your Netflix membership is about to be canceled! - Mozilla Thunderbird_639

Your Netflix membership is about to be canceled! - Mozilla Thunderbird_638

Although the messaging urges immediate attention from the customer, upon closer inspection, the misspelling, strange message at the bottom of the email (‘Your friends on Netflix’) and inaccurate branding, gives away its inauthenticity.  

Unsuspecting users who click on the ‘Your Account’ link are taken to the page below which asks for Netflix login details, including email or phone number and password. From the screenshot below you can see that the page has been designed to look like an actual Netflix sign-in page. However, the domain address does not belong to the company and is in fact a phishing page.  

Logg inn — Mozilla Firefox_634

If the user “signs in” to their account, after entering their login details, these credentials are then harvested for criminal use. Unsuspecting victims are taken to the next page, below, which requires them to press the red ‘Continue’ button to proceed.  

Verify your account — Mozilla Firefox_635


Note the obvious spelling error in the top right-hand side corner of the screenshot, ‘Logg ut’. As well as the confusing short spiel that speaks of no visible changes and ‘planning refunds’.  

The next phishing page, requests credit card details: 

NFX - Updating — Mozilla Firefox_636To trick the user into thinking that their credit card details have been legitimately asked for by Netflix, and subsequently, that their subscription has not been restored, victims are taken to the following spoofed verification page asking them to enter a security code delivered by SMS:  

NFX - Updating — Mozilla Firefox_637

The inclusion of a one-time code at the end of the scam is also intentional. Safety features like these are normally expected from well-established organisations like Netflix, and its use is likely to boost the email’s credibility. 

Whilst MailGuard is stopping this email scam from reaching its’ customers businesses, we encourage all users to exercise caution when opening messages, and to be extra vigilant against this kind of cyber-attack. If you see an email from Netflix, please make sure it is legitimate communication before you open it.  

How to know if an email or text is actually from Netflix? 

Netflix offers the following advice on its support page: 

  • "We will never ask you to enter your personal information in a text or email. This includes: 
  • Credit or debit card numbers 
  • Bank account details 
  • Netflix passwords 

  • We will never request payment through a 3rd party vendor or website. 

  • If the text or email links to a URL that you don't recognize, don't tap or click it. If you did already, do not enter any information on the website that opened." 

More information can be found here: 

MailGuard urges users not to click links or open attachments within emails that:    

  • Are not addressed to you by name.    
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.   
  • Are from businesses that you were not expecting to hear from, and/or  
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.  

One email is all that it takes    

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.    

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's network. 

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates