If you get an email from Netflix telling you that your account is suspended due to a problem validating your credit card, don't believe it. It's almost certainly a sophisticated phishing scam that first made its appearance early this year and has since gone out to tens of millions of people. And it appears to be working: Wired reports that the cybercriminals behind the scam have continued to send it out with almost no alterations, a likely sign that it's proving effective as a way t o fool people into revealing their Netflix username and password, and even credit card numbers, home address, and date of birth. The miscreants can sell all this useful data on the dark web.
This phishing scheme is good enough to fool even very sophisticated users--it's a genuine work of art as phishing goes. For instance, Netflix always advises users that "Netflix will never ask for any personal information to be sent to us over email." That may be a great safety tip, but it won't help you here because this scheme doesn't do that. Instead, it asks users to click on an official-looking link to "Restart your membership."
Click on the link and it will take you to what looks for all the world like a Netflix page--there's even a still from the hit Netflix series The Crown in the background. The page prompts you to log in, or sign in with Facebook. If you do, of course, the hackers now have your Netflix (and maybe Facebook) credentials.
Once that's done, the system takes you to a second screen with the Netflix logo, where you're asked to "validate your payment information" by entering your credit card number and security code, and possibly your home address. Then the hackers will have those, too.
This is a good enough fake that even technically sophisticated users could easily fall for it. I could have fallen for it myself.
Besides creating a very real-looking email and webpages, the hackers used sophisticated techniques to avoid being recognized by any security system. Recently created sites always get extra scrutiny from security software, so instead of making their own, the hackers piggybacked on an existing WordPress site to create their fake Netflix pages. The pages also won't work for users whose IP addresses belong to known security companies, making it hard for security experts to test out and examine them. In some cases, the HTML for the pages is actually encrypted so that it can't be scanned to see what's really going on. It's no wonder that, almost a year after launch, this phishing scam is still going strong.
Unfortunately, sophisticated phishing attacks like this one are becoming more and more common. But there are some simple things you can do to avoid getting caught:
1. Think before you log in.
A phishing scheme is completely harmless if you don't give it any of your personal information. So if you click a link in an email that appears to be from a company you use, be very hesitant about logging in, whether with your own credentials or with associated social media such as Facebook or Google. To be safe, open your browser and go to the site from there rather than by clicking on a link.
2. Check email addresses and URLs.
If you've gotten an email, expand the address to see where the message actually originated. Similarly, before clicking on a link, hover your cursor over the URL so you can see exactly what it is. That will give you an indication as to whether an email or web address is safe.
3. Don't let phishers push your buttons.
One hallmark of an effective phishing scheme is that it will likely activate your emotions and give you a sense of urgency in some way. This Netflix hoax is a perfect example: If you were looking forward to spending the evening binge-watching your favorite series, then hearing that your account is suspended might inspire you to act in a hurry, which is exactly what the hackers want.
So don't. Take a deep breath, take your time, and double-check everything. In the case of the Netflix email, there's a very simple test: Go watch something on Netflix. If you are able to, then your account obviously is not suspended. You can safely ignore the email and go on about your day.