Netflix email scam

The ever-growing rise in email scams is taking another twist with their level of complexity increasing in an attempt to defeat filtering and first-glance credibility tests.

Netflix are victim to an interesting scam that was worth digging a little deeper on.

First clue was the email ended up in the Junk folder – that’s the benefit of using a premium service provider. However, first-glance at the email had me ponder it got there by accident. Plus, its content and subject didn’t tie in with the known status of my Netflix account.

Potentially, for others, it slips through and sits in your Inbox.

Second glance at looking at the button link and from address inside the email really had me close to clicking to see where I ended up. The sending address and button link related to email services, indirectly – and that’s a key point for further in this article.

So, I open the email and click the link, what was the worst that could happen?

One was; I land on a page that was wanting me to enter details and I decided to close it = safe.

No.

I’d be identifying myself as a link clicker and one-step closer to being re-targeted, again and again and again. My email address ‘could’ be flagged as fishable (phishable).

Two; I delete the email – and think nothing more of it.

I was curious. This was a well-worded email and passed the ‘Chinglish’ test. It also used URLs in the send address and button link that seemed plausible.

Before I clicked, I had to prove them. And unless you can do the same always pick option two. DELETE.

But how can you tell? Don’t guess. Unless you are absolutely sure, stop. Delete, walk away.

But how can you tell? For every method I describe to verify the site is legitimate is a scammer’s answer as to what to patch next. To cloak, to disguise, to confuse, deceive.

Short answer: today’s method of being able to tell will be different tomorrow. Take option two: DELETE.

What made this email more plausible than the rest?

  1. The ‘From’ email address used keywords Netflix, AWS (Amazon Web Service) and zeald.com (a digital marketing provider).
  2. The button link used sendgrid.net (Sendgrid is an email sending platform).

First test I did was on sendgrid.net (as it could have been an alias of sendgrid.com) – that was a dead-end.

First fail.

So, I checked zeald.com – who have no connection to Netflix.

Second Fail.

Then I had a look at the email header and compared it to a previous Netflix email. The difference was stark. There was no point digging further.

It was constructed to spoof send via sendgrid.net, cloaked as from zeald.com.

In summary: if you encounter an email subject/content that doesn’t tie in with your known account status, uses a ‘From’ address that if you were to reply to doesn’t show as sending directly to that business: DELETE IT.