Bogus Netflix Email Steals Passwords, Credit Cards

A new phishing scam targets Netflix's 44 million customers worldwide by asking them for their Netflix login credentials — and their credit cards as well.

The scam uses an email with the subject line "Important Notice," according to a blog post by Michael McKinnon of the Czech antivirus firm AVG. The body of the email contains a big red button reading "CLICK HERE TO VERIFY YOUR ACCOUNT."

"Failure to complete the validation process will result in a suspension of your Netflix membership," states the email, adding that "all account holders who refuse to update billing information within three days of receipt of this email will lose his/her account permanently."

MORE: Best Shows to Watch on Netflix Now

The grammar in the email is not perfect, but it's good enough to fool some people, especially those who themselves have imperfect English. Clicking the big red button takes the victim to a bogus Netflix login page. If the email address and password are entered, the scammers will get scammers access not only to the victim's Netflix account, but to all other online accounts that use the same credentials.

A subsequent page on the bogus site asks to "Validate Your Payment Information" and has fields for full name, card number, expiration date and security code. Naturally, filling in any of those fields would hand the information to online criminals.

A screenshot that AVG took of the bogus Netflix website appeared tailored to users in the United Kingdom, displaying a British toll-free service number and a URL that included "netflix.co.uk" as a subdirectory. But it wouldn't be difficult to tweak the page for Netflix customers in other English-speaking countries. (Netflix serves all of the Americas except Cuba, and most of western Europe.)

To avoid being scammed by phishing emails, never click on links embedded in the body of email messages, even those that appear to come from trusted sources. Instead, open up a Web browser and type in the URL of the service in question yourself if you need to check on the status of an account.

If you end up falling victim to the Netflix scam, immediately go to the real Netflix page and change the password on your account — and then on any other accounts that use the same email address and password. If you've given the phishers your credit-card number, call the customer-service number on the back of the card and inform the card issuer of what's happened.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.