Netflix users in Ireland are being warned to be wary of a new Netflix-themed phishing scam that attempts to get users to reveal sensitive information under the ruse of correcting an error in their account.
The emails include Netflix branding and at first glance appear to be a genuine communication from the online streaming service. The emails start with “Dear customer” and explain that an error has been detected in the user’s Netflix account while conducting regular maintenance and verification processes.
The user is warned that unless action is taken to address the problem within 24 hours, access to the account will be restricted. The emails contain a hyperlink for the user to click and login to correct the problem. The link directs the user to a webpage on a domain controlled by the hackers, where they are asked for sensitive personal information in order to confirm their identity.
Scammers spoof popular brands to maximize the probability of an email arriving in the inbox of someone that uses that company’s products or services. Netflix is one of the most commonly spoofed brands in phishing attacks on consumers. In Ireland, there are 250,000 Netflix subscribers so there is a high probability emails arriving in Netflix subscribers’ inboxes.
Spray and pray phishing attacks such as this often use templates that have been shown to pass through Office 365 spam filters undetected and arrive in inboxes. While this campaign targets consumers, businesses that use Office 365 are also being targeted.
It is therefore essential for businesses to provide security awareness training to employees to show them how to identify email threats and to team cybersecurity best practices. Regular cybersecurity bulletins are useful for communicating information on the latest security threats targeting the sector.
Email is the most common way of delivering malware and obtaining credentials to gain access to business networks. Phishing-as-a-service operations are proving popular and are opening up phishing to a new wave of would-be cybercriminals. Businesses therefore need to make sure their cybersecurity defenses are adequate to protect against an increasing number of attacks.
The key to defending against phishing attacks and other email threats is defense in depth. In addition to providing ongoing security awareness training to employees, businesses should ensure thy have up-to-date business-grade antivirus solutions in place, an advanced anti-spam filter, a web filter, firewall, and ideally an intrusion detection system and data loss protection technology.