Back in July, I had the opportunity to pen an article for AppRiver’s company blog regarding a Netflix phishing campaign that was observed by our security research team. The campaign in question attempts to steal login credentials from Netflix customers.

The campaign attempts to impersonate a Netflix account verification email. The email in part alerts the target (recipient) to a possible issue with his or her account. The target is then instructed to click on the provided link in hopes to correct the error. The cybercriminals use a common technique that spoofs the actual company’s domain name within an exploited website URL. The average user not paying close attention can easily overlook this visual deception and believe the link is a legit Netflix URL.


The exploited website is visually a carbon copy of the Netflix web login screen. Analyzing the HTML code of the site, we were able to find discrepancies that only confirmed our suspicions. It’s unclear during our investigation if the exploited site attempts to only steal a customer’s Netflix login credentials or if there a financial goal in mind, such as credit card numbers.

As you can tell from the screen capture above, it can be extremely difficult for the average user to visually identify this as a phishing campaign. One of the best ways for users to prevent becoming victim to this type of campaign is avoid clicking any links in the email. Instead, opt to visit the company’s website address directly. If there is indeed an account issue, you should be alerted on the website of the issue. Another helpful tip is to hover over the link provided in the email with your mouse cursor. If the link looks at all suspicious to you, try to get verification from the company that they indeed sent the email.

Written by Paul Tolbert
Paul Tolbert is an email security specialist & tech blogger living in Pensacola, Florida. He is the founder of where he post informative tips, research and up to date news regarding cyber security.