A recent scam targeted, and still is targeting, millions of Netflix users, trying to get them to follow a link to update their payment information via a realistic-looking email. That email was well enough crafted that it has fooled even some tech experts, and Inc’s Minda Zetlin described it as “a genuine work of art as phishing goes.”
Sanvada talked to two cyber-security experts, Itay Glick, CEO of Votiro, and Israel Levy, CEO of Bufferzone, to find out exactly what it is that makes the Netflix scam and crimes like it so worrying, and to discuss how email scams are evolving.
What exactly makes the Netflix scam so dangerous?
Itay Glick: The email is very misleading. It looks valid because it includes both images (like the logo for example) and personal details make it seem legitimate. People tend to engage with these types of emails out of habit and lack of concentration. However, following good and simple security practices will prevent them from falling for these tricks.
Israel Levy: Obviously the fact that Netflix is so well known makes it likely to have hit a customer. After all, everyone expects their card to expire at some point. The goal, of course, with any phishing attempt is to get access to sensitive data – and phishing generally provides an ROI that pays off. What we’re seeing with the Netflix scam is an attempt to get subscribers personal and credit card details, which can be very valuable on the dark web.
Why do people open such a high percentage of these types of scams?
Itay Glick: Spear phishing and phishing have become so popular because these emails are believable even to those with a trained eye. It has been found that people open 3 per cent of their spam and 80 per cent of spear phishing attempts. In many high-profile attacks, hackers have studied their targets for months, using the information that they’ve gathered from social media to carefully tailor their attacks.
Hackers pretend to be from a legitimate business and use social engineering tools to induce panic, (or a sense of urgency) in their readers – for example, in the Netflix scenario, the email suggested that user accounts would be suspended unless customers entered some of their billing information. An email from a “bank” for example, may say that it needs your customer information to verify records due to a technical error etc.
What’s the definition of spear phishing, as opposed to regular phishing?
Itay Glick: In a phishing scam, emails are sent to a wide group of people without specifically targeting anyone. The attackers know that not everyone will respond, but they know that if they send enough emails out, enough people will.
The Netflix attack is an example of a phishing attack since it was sent to a large group of people but it wasn’t necessarily tailored to each individual. Netflix users and likely a range of people who weren’t customers received an email stating that their Netflix account had been suspended, due to a problem with their billing information (this may be very believable). The email offered a link for users to click on, taking them to what looked very much like a Netflix landing page.
Spear phishing on the other hand, is much more targeted. Hackers target specific organizations and individuals with seemingly innocuous emails that pretend to be from coworkers, friends, or family members, but are actually infected with malware. In many highprofile attacks, hackers have studied employees for months, using the information that they’ve gathered from social media to carefully tailor their attacks.
What can people do to protect themselves?
Itay Glick: Users should think twice before they click on a link or enter any personal information. To see if a link is legitimate, they should use their mouse to hover over each link to see where it leads or make sure when using an iPhone to give each link a long press. Be sure to check the domain and view the SSL certificate (to protect from man-in-the-middle attacks.) Furthermore, organizations that have a large amount of customer data must protect themselves and find solutions that will remove human error from the equation and ensure that emails received within an organization are safe to open.