Another Netflix phishing scam!
We’ve written about these scams before, and we’ll probably write about them again…
…for the sadly simple reason that THEY WORK.
They work because scammers know that the less inventive they are, the more believable their messages become.
It’s also a lot less effort to copy genuine content and adapt it just a little than to try to create your own material from scratch.
That’s what Naked Security Editor-in-Chief, Anna Brading, thought when she received this scam yesterday:
This is a notice to remind you that you have an invoice due on, 27/11/2019. We tried to bill you automatically but you local bank being held a transaction.
Sadly for the crooks, and fortunately for anyone who received this scam, the tiny bit of text that the criminals decided to write by themselves contains several rather jarring errors.
For the most part, however, this email is disarmingly simple, and therefore surprisingly believable, for all that it’s given away by typos, grammatical mistakes and orthographic errors.
It’s not overly dramatic, it’s not threatening, and it’s polite.
It’s the sort of thing that might easily happen from time to time – a recurring credit card transaction that’s temporarily failed – and that in real life is usually pretty easy to sort out.
Indeed, it’s the sort of glitch you’ve probably dealt with once or twice before, and that you may well have resolved entirely online without even leaving your browser.
Of course, even if you missed the spelling mistakes (a genuine retailer or cloud service is unlikely to mis-spell the word invoce
, which should be invoice
), the link would be a giveaway – this one uses a URL shortening service, but with an HTTP (insecure) URL instead of HTTPS.
Nevertheless, if you clicked without taking a moment to check it, you would end up redirected to a surprisingly believable page that is hosted on a website with a valid HTTPS certificate:
Sure, you’re not on a netflix.com
web page, which is an obvious indicator that this is a scam, but the crooks have disguised the actual server they’re on by using a domain name that starts with a 32-character hexadecimal string.
The long, random starting text in the URL shoves the final part of the domain name off to the right far enough that your browser probably won’t have enough space to show it.
The domain used in this attack was only registered on 2019-11-17, and the web certificate was created yesterday, so the site was probably set up specially for this scam, perhaps along with a bunch of others.
Remember that once you have acquired a domain name such as example.com
, you’ve also acquired the right to create as many subdomains beneath it as you like.
Of course, if you are in a hurry, and don’t take a few moments to look for the obvious clues, you might easily end up entering your password – by which time it’s already too late, because the form submission button uploads it to the crooks, not to Netflix.
If you still don’t spot the deception (we’re hoping you wouldn’t have got this far!), then the phishing continues, taking you via this page…
…to one that asks directly for your card details:
Ironically, these crooks would probably have been better off skipping the intermediate page that starts, “Dear friend,” because it’s awash with telltale signs of bogosity.
Errors you should spot for yourself include spelling mistakes, poor grammar, and a mixup with languages (there’s a link in the middle of an otherwise all-English page that mysteriously offers to sell you a gift card in French).
What you need to know
Here’s what you need to know about this particular scam:
- If you deleted the original email without clicking anything, you did the right thing. The crooks have tried and failed, so you win.
- If you clicked through to the fake login page but bailed out without entering anything, you’re also safe.
- If you went as far as trying to login on the bogus site, the crooks know your password. Get yourself to the genuine Netflix login page as soon as you can and change your password.
- If you gave away your credit card details, the crooks know those too. Call your bank as soon as you can to cancel your card. (Look on the back of your actual card for the number to call, for safety’s sake!)
- If you think your card was compromised, keep a close eye on your statements. You should keep your eye on your financial records anyway, but you might as well step up your scrutiny after a security scare of this sort.
What to do?
Given that today is Black Friday, which is by all accounts the biggest, boldest and baddest retail day of the year in North America, here are three general tips that we urge you to adopt if you haven’t already:
- Never login via web pages that show up in an email. If you always find your own way to login pages, for example via a bookmark or your password manager, then you never have to worry whether a login link is phishy or not, because you won’t be clicking it anyway!
- Use a password manager. Your password manager won’t put your Netflix password – or, indeed, any password – into a bogus site for the simple reason that it won’t recognise the site and won’t have a password to submit in the first place.
- Measure twice, cut once. The scam above has plenty of giveaways, including obviously fake URLs; the use of HTTP instead of HTTPS in the email; and spelling errors. Getting scammed is bad enough without the pain of realising afterwards that all the signs were there for you to spot easily, but you were in too much of a hurry to stop and check.
LEARN MORE ABOUT STAYING SAFE ONLINE
If you like our videos, why not subscribe to our new Naked Security YouTube channel? (Don’t forget to click the bell icon so you receive notifications when we upload new videos.)
Laurence Marks
Yet another clue: On the first page, two dates are given as DD/MM/YYYY. Here in the US, MM/DD/YYYY is generally used.
Paul Ducklin
Actually, that was a detail they got right in this case – the email went to Anna, here in the UK.
I haven’t seen any samples of this particular scam submitted by US recipients, so I couldn’t tell whether they were right by accident or by design, so I didn’t want to suggest that the date would look wrong in the US.
Sadly, here in the UK you can’t use the presence of a date in US date format (utterly weird, what were they thinking :-) as a “scam signifier” because so many legitimate companies make that mistake, too.
PS. Another handy hint is that the crooks frequently get the money notation wrong. For example, in IRL you might expect to see, say, €2,345.00 (decimal point, comma for thousands, currency symbol first), while in DEU you might be surprised not to see 2.345,- € instead (decimal comma, dot for thousands, Euro sign last, and the use of a dash to denote zero).
(As an aside, the dash for zero in money amounts seems to be an anachronism that German orthography has retained from days of old. Pre-decimal British currency used the dash, too, so that ‘three shillings and sixpence’ would be written 3/6, pronounced 3-and-6, but three shillings would be 3/- and not 3/0. The dash vanished from British monetary orthography in the 1970s when the pound was decimalised into 100 pence instead of the wacky old system involving 240 pence – 20 shillings each of 12 pence – that was copied from the Franks who copied it from the Ancient Romans. In Anglophone countries, the pence or cents are always written as two digits, thus £2.50 and not £2.5, except in trendy eateries where dropping the trailing zero on a price list is considered a badge of coolness.)
Tech-challenged GGma
Been getting the fake Netflix emails in some form or other for at least a year, though not this one yet (in US). Use Hotmail/Outlook and always report them as Phishing, then Block. Some fake emails have gotten smart enough that we can’t Block them…Especially the FEDEX and Russian porn emails. Remember by reporting them they will be put into the Junk folder and you can just empty it. Would Love to figure out how to Block these suckers…
BTW, almost never click on email links, even from trusted senders, unless you are positive who they are. I login to my credit cards and bank from bookmarks…not from their links. Much safer.
Anonymous
Have already gotten 4 of those Netflix scam emails in past 2 weeks, I just reported them as phishing thru Hotmails phishing link. I have Netflix, and know they get paid every month, so I knew pretty much this was a scam, plus the grammar errors were everywhere, their not very smart cause they cant spell lol