A new email scam is targeting thousands of Netflix customers and attempting to trick them into handing over their credit card details, cyber security experts say.
Users are being sent a convincing-looking email that claims to have been sent by Netflix.
The message, which has the subject line “Payment declined”, contains the Netflix logo. “Netflix” is also listed as the name of the sender.
However, it is in fact a well-designed fake.
“We attempted to authorize the Amex card you have on file but were unable to do so,” the message reads.
“We will automatically attempt to charge your card again within 24-48 hours. Update the expiry date and CVV (card verification value) for your Amex card as soon as possible so you can continue using it with your account.”
The email also contains a prominent “Update Payment” button, which users should not click.
If you do, you’ll be taken to a malicious website that looks like an official Netflix page, says MailGuard, which spotted the scam.
“The phishing page is designed to operate like a legitimate login portal,” it says. “It asks for card details and password verification, then ejects the scam victim to a real Netflix page to allay suspicion.”
Phishing emails are often littered with spelling mistakes or formatting issues, which usually make them easy to spot.
However, what makes this particular scam so dangerous is that it looks so convincing.
“It is extremely concerning to hear that thousands of Netflix customers could have been hit by a somewhat sophisticated phishing scam,” said Raj Samani, McAfee fellow and chief scientist.
“Yet, sadly it isn’t all surprising. Phishing attacks remain the most common method of manipulating individuals into clicking on links and ultimately installing malicious content onto their systems.
“Taking advantage of trusted, well-known brands attempts to leverage the use of authority, resulting in the incoming messages to appear trusted to the consumer.”
Netflix says it will never ask customers to send any of their personal details, such as payment information or passwords, over email.
“Never enter your login or financial details after following a link in an email or text message. If you’re unsure if you’re visiting our legitimate Netflix website, type www.netflix.com directly into your web browser,” the company says.
“Never click on any links or open any attachments in an email or text message you received unexpectedly, regardless of the source.
“If you suspect an email or text message is not from Netflix, do not reply to it.”
If you think you have received a fake email that claims to have been sent by Netflix, you can report it at Netflix’s Help Center.
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies