Last week, more than 100 million Netflix subscribers were targeted with a well-designed email phishing attack. The email told recipients that their billing information needed updating, taking them to a fake Netflix website and asking for their credit card details along with a host of other information.
While phishing attacks are growing in sophistication every day and are sometimes indistinguishable from authentic emails at first glance, there are still relatively simple checks that you can perform to ensure that your sensitive and personally identifiable information doesn’t fall into malicious hands. Here are three tips to spot the fake Netflix phishing attack.
Tip 1: Hover to blow their cover
A quick, straightforward check you can perform is hovering over any links that a suspicious email has, verifying the domains they’re directing you to and confirming that these domains are consistent with what you expect the email to be linked with.
As the screenshot below shows, although the web page itself is deceptive enough to be mistaken for the Netflix login page, the URL in the search bar is eminently suspicious and should be a cause for alarm.
Bear in mind that fake phishing sites are sometimes hosted on otherwise reputed domains (for example, this site was hosted on a compromised WordPress blog) and can escape through the cracks of security sensors. But your eyes can be the most effective sensors here, foiling attempts with a quick look at the URL.
Tip 2: Devil’s in the details
This entire phishing attack – both the mail and the fake login page – were painstakingly designed to convey authenticity. The landing page looked similar to the Netflix login page, carried the Netflix logo and branding elements, and even had backsplashes of famous Netflix shows such as House of Cards and The Crown to throw victims off the scent.
Nevertheless, there are usually telltale signs that can give you an initial feeling that something’s off. Here, the attackers planned to personalize the scam by showing the victims’ first name in the ‘recipient’ field of the mail.
Fortunately, the mail merge didn’t work, and the mails showed placeholder text instead of the intended personalization. Netflix as a brand would not be careless enough to make these mistakes; this small error can act as a significant breadcrumb that leads you toward the light.
There are other errors in the mail that Netflix wouldn’t commit: '48hours' without a space in between and run-on sentences sans punctuation being some examples.
Tip 3: Notice the Brand
Netflix has strived to maintain a fun, casual, and irreverent brand voice both in its email marketing and social media presence. While these efforts are laudatory and make business sense in general, they are also useful in creating a standardized, unique vibe whenever you converse with Netflix, almost like a digital signature.
For example, look at a real email from Netflix below:
Here’s another one:
Notice anything? Here are a few things that spring to mind for us:
- Netflix’s friendly tone comes across in their signature. They always sign off as our ‘friends at Netflix’, a stark removal from the more robotic ‘Netflix Team’ that sent the phishing email.
- The language in the phishing mail is designed to elicit fear and implicitly hold you to ransom. Regular Netflix subscribers and engagers will know that ‘we’ll suspend your membership if we do not receive a response within 48 hours’ is not the usual jovial messaging expected from their favorite streaming service.
- The mail headers are center aligned and not boldfaced. Differences that are easy to miss in the phishing email (where the header is left aligned and boldfaced) but differences that – coupled with the previous two tips – can set alarm bells ringing.
- In-mail links in real Netflix emails are red in color, unlike the blue hyperlinks in the phishing mail. Again, an easy enough thing to miss on superficial viewing. Red is an important brand element for Netflix and not something they’d suddenly change in a one-off mail.
- The design of the call-to-action buttons are standardized and different from the one in the phishing mail.
These are not the only differences, but you get the gist. Even well-designed phishing attacks find it difficult to capture unique brand voices of firms like Netflix. These are minor differences that can easily fly under the radar; but, coupled with the other tips we’ve mentioned above, these can act as powerful validators.
The next time you get mails from reputed brands that have iffy URLs, suspicious design choices, and low-key aggressive language, we hope your spider sense starts tingling!
To learn more about how Demisto playbooks go through minute checks like URLs, headers, domain distance, and attachments while scanning potential phishing mail, read our phishing playbook summary.