“Smart” Netflix phishing email targets Australians
That email warning you of your Netflix account being suspended is a fake, but it’s a clever fake.
Phishing, the term usually used for emails or other inquiries designed to fool you into handing over your personal or financial details, is nothing new, but it's getting smarter. A new warning from communications regulator the Australian Communications and Media Authority (ACMA) highlights that as we’re all becoming more aware of it, identity theft crooks are becoming ever more devious in their subterfuges.
ACMA notes a recent spate of emails purporting to come from Netflix, warning of an account suspension if the user doesn’t log into their account immediately. That’s using one of the most basic tools in the phisher’s playbook, designed to make you panic and react rapidly. Naturally, there’s a "handy" link in the email that you’re encouraged to click on in order to fix your locked Netflix account and ensure that the sweet, sweet flow of Luke Cage episodes continues undisturbed.
Where ACMA identifies the scam as "smart" phishing is in the increasing sophistication of the approach. The email looks genuine, and so does the URL and site you’re directed to if you do click on the embedded link, right down to using visuals from Netflix shows to make the login seem as authentic as possible. When you do log in, background scripts grab the details given and try to log into the actual Netflix service to verify your account, so if you do put in the wrong details, you’re even met with an authentic looking error message. If verified, you’re presented with a form pre-filled with data scraped from your actual Netflix account and prompted for your billing details in order to "verify" your account.
Just in case it wasn’t clear, under no circumstances should you actually do this. The scam could give criminal types your personal and banking information.
What can I do to keep myself safe online?
You can usually tell a fake from the real thing by checking the URL, but this isn’t always easy depending on how you’re logging in, or how sophisticated the scam is.
For scams like this, there a few steps you can take in order to keep your personal and banking details safe. The first and most obvious is that if you do get an email from any institution that holds your personal data, open up that service in a fresh browser window. Don’t click on any buttons in emails, because they’ll typically redirect to the fake-but-realistic-looking version of the website. If any action is required on your part, it should be replicated on the real site via its own communications systems, but if it’s not present then you can rest easy knowing it’s a fake. It’s also well worth ensuring you’re using a single unique password for every service you use, because re-using passwords means that if you’re compromised, either via phishing or a data breach, other accounts will also be vulnerable. Where feasible and offered, adding two-factor authentication to your accounts can at least alert you if this kind of attack happens, so it’s wise to take it up as well.