/ Money

Netflix customers targeted by scam emails

Sophisticated phishing emails purporting to be from Netflix are attempting to extort customer bank details. Here are two examples you need to watch out for.

Online streaming services have revolutionised the way in which we watch TV, with Netflix at the forefront of their success.

The platform reportedly has over 150 million subscribers worldwide, so it’s easy to see why it’d be a target for scammers trying their luck with carefully crafted phishing emails.

If you’re a Netflix customer and you’ve received an email out of the blue regarding ‘updating your payment details’ or ‘expired membership’, don’t take it at face value – it could be a scammer’s attempt to extort your bank details.

‘Your account is on hold’

Fortunately, we’ve got hold of two examples of these phishing emails so you know what to watch out for.

The first is the most convincing:

The use of both Netflix and Visa’s branding here gives the illusion of a genuine email, but when you look closer, you’ll see that it’s arrived from a fraudulent email address that has nothing to do with Netflix.

It’s be easy to miss if you’re in a hurry, which emphasises the importance of checking emails like this thoroughly, especially if it’s requesting sensitive information.

Our guide to spotting an email scam can help you catch the telltale signs.

‘Suspended membership account’

The second email we’ve seen isn’t quite as slick as the first in its content, but has made use of email spoofing in an attempt to con unsuspecting Netflix subscribers:

You’ll note the incorrect spelling of ‘membership’ as ‘memebership’ on a supposedly Netflix-branded domain. Again, it’s easy to miss at a glance.

The email itself also contains classic phishing email giveaways – such as the rogue ‘You’re’ and out-of-place capital letters.

We made Netflix aware of both of these phishing attempts. A Netflix spokesperson said:

“We take the security of our members’ accounts seriously and Netflix employs numerous proactive measures to detect fraudulent activity to keep the Netflix service and our members’ accounts secure.

Unfortunately, phishing scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information.

Members who want to learn more about how to keep their personal information safe against phishing scams and other malicious activity can go to netflix.com/security or contact Customer Service directly.”

Keeping your accounts secure

As always, if you think you’ve handed over sensitive information to scammers, contact your bank immediately. If you’ve been a victim of fraud, here’s how to get your money back.

If you’re worried about the security of your accounts, we’d emphasise the importance of having strong passwords in place, especially for accounts such as Netflix in which two-factor authentication (2FA) isn’t in place.

Our Computing Editor, Kate Bevan, strongly recommends that you make use of 2FA wherever possible.

A password manager can help you create strong, unique, unguessable passwords. These are the ones we recommend.

Have you received a Netflix phishing email or a similar fraud attempt for another service? If so, let us know in the comments.

Know someone who subscribes to Netflix? Then please do pass on this warning.


I had a scam text rather than an email, tried to send the content by email to phishing@netflix.com but my gmail service rejected it as suspicious.

Google is doing its job John but if you are not happy then-
You need to follow below steps:

1. Login with your gmail account and find “Allow less secure apps:” .

2. Google manages security with your gmail account. You need to turn on “Allow less secure apps:” and you will receive mail in your gmail account.
I don’t advise it though, maybe better setting up a new Gmail account (in addition to your regular one ) just to send them you don’t want to end up on Google,s block list.

John Colburn says:
15 November 2019

I have received several tv licence phishing emails stating that there is a problem with
my direct debit payments.
They look very convincing however I noticed the licence no. was wrong and in one occasion had less digits.

Laura says:
15 November 2019

I cancelled netflix a few months ago but have recently received several e mails informing me i needed to update my payment method. Deleted them but didn’t realise they were phishing

Marilyn Powell says:
16 November 2019

I received an email supposedly from O2 a few weeks ago saying my account had been suspended as the SIM card had expired. A quick call to O2 proved there was nothing wrong with the account and they would report the scam.

Mariah says:
17 November 2019

Yes I’ve received a few of these emails, similar to the ones you display.
Luckily they give themselves away with incorrect spelling and grammer very often.
I have just deleted them in the apst but it may be a better idea to send on to Nrtflix if I get another.

IPS’s could help with this by charging a pepper corn amount after the first 50 emails each day when sending a email though there systems

K Met says:
24 November 2019

I have received a few emails from Netflix over the past couple of weeks offering me a 30 day free trial…I already have an account and pay monthly.

For those unsure they are visiting the real Netflix type-
Very clean looking website distinct lack of the usual trackers not even a hint of Google .

If you click on the scam email /URL address you will be taken to a “not so nice website ”
The real Netflix website if you are not logging in is-
again pretty clean .
TYPE it into the URL bar not the search engine one for more security .

Still not sure ?? then try this URL checker I tested it with both URL,s and got—a big green –SAFE .-
Its American and has some trackers but no malware.

As quite a lot of people are being harmed by scammers/hackers via email here is the above company,s comments on two factor authentication quote-

A recent report by Amnesty International revealed that two-factor authentication is vulnerable to hacking, particularly on mobile devices, leaving Yahoo and Gmail accounts particularly susceptible. The report can be alarming since two-factor authentication has long been thought to be the safest method for securing passwords. In case you’re new to learning about two-factor authentication, read on and find out the best ways to double down password security.

Scammers have discovered that they can use the same techniques used to steal passwords to gain access to these texted authentication codes. Using infected phishing links, they can install malware to your phone that not only allows them to extract your email password, but to send a code to your phone which they can also be stolen with the same malware. Once access to your inbox is established, cybercriminals can look through your email for clues on other accounts connected to the hijacked email address. They can then take this information to reset passwords on other accounts and take them over including gaining access to your financial data.

And good advice-
1. Start by changing your passwords often and make sure each one is unique and hard to guess. A password manager app can be used to help keep track of multiple passwords.

2. Use several different email addresses for different accounts, so all of your sensitive data isn’t associated with just one email account. That way, if one of your email addresses is compromised, the hackers don’t have access to everything.

3. Avoid saving passwords on your computer and mobile phone. While it is an inconvenience to have to enter passwords manually, it prevents thieves from getting into your accounts if your devices fall into the wrong hands.

While its very inconvenient I don’t store passwords at all but every time I visit Which I have to type it in , also as much as possible I block Jscript –not here of course or I couldn’t post and yes many website just white screen you but its much safer and if the website is okay you can allow Jscript.

Two factor authentication is least secure but most convenient when the associated internet activity and text messages use a common device, i.e. a smart phone.

When the internet activity is on a different device, then (unless hacked as suggest by Duncan above) you need to have both devices in your possession to access both the internet and the second factor security tokens.

For folk who choose to use a smartphone for the bulk of their internet activity, the option of using a second phone number, on an ordinary “dumb” phone, can be a good way of increasing security above the level of putting all your eggs in one basket and running everything off the smart phone.

I usually save and store my passwords on paper via series of hints and abbreviations. That way I know they cannot then be compromised by electronic means.

Let this be a warning to those using this website —
I got an email from Which that didn’t appear in the convo ,I wont give it the benefit of naming it in case somebody is foolish enough to try the URL but Which did the RIGHT thing in blocking it .
It is a DELIBERATE attempt to cause the regulars and posters here to have MALWARE installed on their computers —somebody made an evil attempt to cause much upset —good job Which !! you blocked it.

Duncan, presumably that email wasn’t actually from Which? but merely pretended to be so?

Wrong Derek that’s why I have full printout of DKIM/DMARC it was the “genuine article ” I am not criticising Which I am PRAISING them they stopped it .
I can back trace emails (routing) .

So has Which? been hacked?

No Derek it was just a standard email notification but never got published on Which Convo because their virus filters spotted it .
Derek Which is with Amazon much as I criticise the company its got pretty good protection on its servers not 100 % but good enough to take care of over 90 % of malware emails.

So are you saying that (1) you got an automatic email alert to a new convo post containing links to malware and that (2) the post was rapidly or automatically removed by Which?

Absolutely Derek , its the standard scamming method of using genuine email services to lead you to a malware website where nowadays you don’t even need to click on anything—-instant download of malware—well at least to Windows .

If so, then shouldn’t W?C delay its email notifications until such times as new posts have been shown to be free of malware?

I, for one, certainly don’t want email notifications from W?C (and other such sites) and I’m sure those that do want any such messages to be appropriately safe, even if it means waiting a bit before they are sent.

PS – clicking on malware links can also install broswer-add-on&hijacking malware on Linux.

I presume you didn’t receive it Derek ? and anyway it was never posted .
Being “investigative ” I typed in the basic URL leaving out the slashes after it to make it look like it was “trying to help people ” and my virus control app on my browser spotted it first – big webpage of warnings KNOWN malware website -I wont go into detail .
They could Derek (clicking on something ) but as I keep saying I have very good add ons protecting my two browsers but unfortunately they are not of the extremely simplistic kind and the general public probably wouldn’t like them as well as using a much “hacked “( by myself ) programming in “about:config” and Waterfox I use with no jscript –wouldn’t suite most of the public.
Only one is very simple.

Unless comments containing links are received from “approved” regulars they are, I believe, automatically put into moderation and not published until cleared. However, the complete unmoderated comment is emailed to those who choose to be notified of new comments on specific topics. You can get these by clicking on the “Follow this conversation by email” at the bottom left of the “reply” box. I’m sure you know all this 🙂

Best never to follow a link in any email. So Which?’s process should keep is safe.


I admit to being very puzzled by your post. Can you bear with me while I go through it?

You said:

Let this be a warning to those using this website —
I got an email from Which that didn’t appear in the convo ,I wont give it the benefit of naming it in case somebody is foolish enough to try the URL but Which did the RIGHT thing in blocking it .

Okay, so you were sent an email by Which?. But none of the emails I get from Which? ever appears in the topic. I don’t know why you think it should.

You then said

It is a DELIBERATE attempt to cause the regulars and posters here to have MALWARE installed on their computers —somebody made an evil attempt to cause much upset —good job Which !! you blocked it.

but for me, anyway, that poses even more questions. You have the email on your computer, but then you say Which? blocked it – yes? So how did it reach your computer if W? blocked it?

You say the URL is the culprit, but that presumably means the email Which? sent you contained a URL pointing to a malicious site. Which suggests Which? has, in fact, been hacked. Is that correct?

You then said

it was just a standard email notification but never got published on Which Convo because their virus filters spotted it

but earlier you said it was an actual email. Can you clarify which. please?

If it was, as Derek divined, an automatic email prompting you to see a new post, are you certain it wasn’t simply a post that had subsequently been deleted? The Which? system will, for example, continue to show posts that have been deleted for transgressing the Ts and Cs so that when following the hyperlink in All Recent Activity the post cannot be found.

I did, in fact, follow one such link a day or so ago,and the post had already been deleted. I suspect that’s the more likely (and significantly less sinister) explanation.

I put it as simple as possible to Derek –did you follow my replies ?
1- I do NOT put any blame at all on Which
2- I PRAISE Which for seeing it for what it is
3- It was a genuine Which email
4- How would I know if it was deleted or not I wouldn’t even think of trying to investigate what Which does as far as security is concerned ?
5- Did I not say—Which,s Amazon servers took care of it ?

What the “beef ” John as Americans would say ?

Duncan: I fully accept the first two of your points,b ut the third one is what has me concerned.

What did the email actually say?
Did it include a link to a Which? topic?

I’m simply attempting to ascertain the precise facts of this.

Duncan, as Ian has also shown above, you may have thought that your original post was clear and simple, but I certainly did not find it to be so.

That was why I asked a series of questions…

Derek- “you may have thought ” –thought what Derek ??
Do you honestly think I sit at my PC making up my own mind on computer digital matters involving deep investigation—NO way !
How long have I been on this website saying I have a host of specialised /technical apps straight from Github and all the top end software engineering websites –of course I understand them ,if I didn’t I wouldn’t be able to understand them .
If that isn’t enough Arch provides me with tools to hack into peoples emails/ computers etc remotely because they are used by computer administers in big business to control their employees even remotely blocking apps etc .
I have the full details of the DKIM /DMARK trace-back and its 100 % legitimate – the same type of software used by all big businesses it doesn’t lie -NO MITM attack Derek.

If this carries on I will no longer think of providing help in this direction to Which — I thought I was doing GOOD –seemingly not !!
I understand digital software programming its no “big deal ” to me .

Duncan , please may I remind you that this site is Which Conversation and that conversation quite normally involves dialog.

duncan, this is not about your admirable help but the clarity of your original email. Some do not fully understand the event you set out to describe. 🙂

I will cut out my email address section-
dmarc=fail header.from=which.co.uk;
spf=none smtp.helo=a7-10.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=eu-west-1.amazonses.com
Received-SPF: none (re-prd-rgin-006.btmx-prd.synchronoss.net: domain
a7-10.smtp-out.eu-west-1.amazonses.com does not designate permitted sender
hosts) identity=helo; receiver=re-prd-rgin-006.btmx-prd.synchronoss.net;
client-ip=; helo=a7-10.smtp-out.eu-west-1.amazonses.com;
Received-SPF: pass (re-prd-rgin-006.btmx-prd.synchronoss.net: domain
eu-west-1.amazonses.com designates as permitted sender)
identity=mailfrom; receiver=re-prd-rgin-006.btmx-prd.synchronoss.net;
client-ip=; envelope-from=0102016ea0ff9849-7b2df823-39de-4bcc-a53a-f5d10c93d553-000000@eu-west-1.amazonses.com;
X-Originating-IP: []
X-OWM-Source-IP: (US)
X-OWM-Env-Sender: 0102016ea0ff9849-7b2df823-39de-4bcc-a53a-f5d10c93d553-000000@eu-west-1.amazonses.com
X-OWM-DMARC: spf 7 dkim 7
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedufedrudeitddgvdduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffonecuuegrihhlohhuthemuceftddtnecunecujfgurhepfffvhffukffogggtsehhtdertdehtdejnecuhfhrohhmpedftghonhhvvghrshgrthhiohhnrdgtohhmmhgvnhhtshesfihhihgthhdrtghordhukhdfuceotghonhhvvghrshgrthhiohhnrdgtohhmmhgvnhhtshesfihhihgthhdrtghordhukheqnecuffhomhgrihhnpehprhhinhhtvghrvghrrhhorhhrvghprghirhdrtghomhdpfihhihgthhdrtghordhukhenucfkphepheegrddvgedtrdejrddutdenucfrrghrrghmpehhvghloheprgejqddutddrshhmthhpqdhouhhtrdgvuhdqfigvshhtqddurdgrmhgriihonhhsvghsrdgtohhmpdhinhgvthepheegrddvgedtrdejrddutddpmhgrihhlfhhrohhmpeeotddutddvtdduiegvrgdtfhhfleekgeelqdejsgdvughfkedvfedqfeeluggvqdegsggttgdqrgehfegrqdhfheguuddttgelfeguheehfedqtddttddttddtsegvuhdqfigvshhtqddurdgrmhgriihonhhsvghsrdgtohhmqedprhgtphhtthhopeeoughunhgtrghnrdhluhgtrghssegsthhinhhtvghrnhgvthdrtghomhequcfqtfevrffvpehrfhgtkedvvdenughunhgtrghnrdhluhgtrghssegsthhinhhtvghrnhgvthdrtghomhenucevlhhushhtvghrufhiiigv
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
Received: from a7-10.smtp-out.eu-west-1.amazonses.com ( by re-prd-rgin-006.btmx-prd.synchronoss.net (5.8.337)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=ihchhvubuqgjsxyuhssfvqohv7z3u4hn; d=amazonses.com; t=1574659135;
Date: Mon, 25 Nov 2019 05:18:55 +0000
From: “conversation.comments@which.co.uk”
Subject: New comment on Which? Conversation
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
X-SES-Outgoing: 2019.11.25-
Feedback-ID: 1.eu-west-1.KT4lrJKlLU388GUVLsGCwvS1H+OMOz+YM2Fuu+LyUCU=:AmazonSES

There’s a new comment on the conversation you said you were interested in:https://conversation.which.co.uk/technology/microsoft-windows-7-upgrade/#comment-1581186I am really astonished about the idea of the ending about the Microsoft Windows 7, I have been using my printer with the Windows 7 though it is creating certain issues, now that you have mentioned about it, do you think that the printer is creating issues regarding the ending of the windows 7, though I had some help from https://xxxxxxxxx.com/blog/how-to-fix-epson-printer-error-code-0xf1/, however, I do need proper information regarding it and proper knowledge about the error code
<a href='https://conversation.which.co.uk/technology/microsoft-windows-7-upgrade/?wpdiscuzSubscribeID=2616&key=bc10e2641888
Can your software engineers spot any MITM attack ?

Thanks George 🙂

I have received another email , not providing an URL but pretty rude and this one looks as if its coming from a young American guy ?
I will not be posting any details as I don’t think it will get anywhere –I said about the first email— no its not in the wording its in the URL which you notice I xxxxxx out , don’t want the public clicking on it .
The wording is benign even sounding helpful therefore -IMHO -your malware control blocked it to back this up I used two online URL checkers — BOTH says its “infected” /malware site etc.
If you advice is “there is no malware ” George the I think there is a “problem ” somewhere .

Duncan, that sounds like one I reported as “Rude or Offensive” a short while ago…

Probably is Derek somebody is targetting Which .

They’re usually someone trying to advertise something. It’s something we have to watch for on any forum.

Maypatsingh Jadeja says:
22 February 2020

I have received scam E mails from Netflix in the past but I knew they were fake e mails because I do not have Netflix subscription.