In the Information Age, personal information is a valuable commodity. For years, cyber criminals have made a living out of running phishing scams to steal personal details. One of the most recent examples is the Netflix phishing email scam, which attempted to trick Netflix users into updating their payment information with fake verification emails.
Research shows that phishing attacks are now a leading cause of data breaches, with 22% of confirmed data breaches involving phishing attempts. So, if you want to stop hackers from accessing your data, you need to know the signs of an attack. This article will examine the Netflix phishing campaign and highlight how cyber security leaders can spot future attacks.
The Netflix Email Phishing Scam: Here’s What Happened
Back In July, Armorblox released a blog post examining a series of phishing emails aimed at Netflix customers. The cyber security provider discovered the scam when its office security platform flagged fake emails targeting customer inboxes.
In the messages, hackers impersonated Netflix support team members and told the recipient there was an error in verifying their address and payment details. The emails said that “Netflix” would cancel the victim’s subscription if they didn’t update their details within 24 hours.
At the bottom of the email, a link instructed users to “click here to update your information.” Clicking on the link took the victim to a CAPTCHA form followed by a phishing site that mimicked the real Netflix login page with a series of forms where the user could enter their login credentials, billing address, and payment details.
Users who completed the forms were redirected to the legitimate Netflix home page after the fraudsters harvested their details. By manipulating the Netflix subscribers into providing personal information, the attackers had obtained details that they could use to conduct fraud, with the victims being none the wiser.
Lessons to be learned from the Netflix Email Phishing Scam
Examining the attack offers a handful of key lessons for enterprises:
1. Spam filters aren’t 100% effective
While spam filters are good at weeding out some phishing scams, many can still get through. Enterprises can’t rely on filtering alone to detect security threats and must train employees to spot the signs themselves.
2. Hackers are using CAPTCHA to mislead victims
The fraudsters included the CAPTCHA page specifically to trick victims into thinking the website was legitimate. To avoid falling victim to a similar fraud attempt, don’t assume a website is authentic simply because it has a CAPTCHA form.
3. Fake sites have fake links
One of the biggest red flags of the Netflix phishing attack was that the phishing site had a fake URL. Whenever you or an employee receive a suspicious email, investigate all the links carefully to see if the destination is legitimate.
4. Always be skeptical of payment verification emails
Scammers often use payment verification emails to steal private information, so always be skeptical of emails that request payment information. If in doubt, encourage employees to reach out to service providers by phone or directly through their website.
5. Be wary of a sense of urgency
The hackers told the recipients of the messages that they had 24 hours to update their details to put pressure on them to provide their details immediately. If you or your employees receive an email using these pressure tactics, you can safely ignore it.
How to Defend Against Phishing Attacks: Tips for Cyber security Leaders
While it sounds simple in theory to spot bogus emails and links, it’s much more difficult in practice. People live busy lives, and it’s easy to skim over a phony email that looks legitimate at first glance. To consistently detect these attacks, you need to:
1. Educate your employees about phishing threats
Knowledge is your employees’ first line of defense against phishing threats, so using phishing simulation tools to educate them about the signs of a fraudulent email or website is a great place to start. Relevant training will enable employees to detect fake messages and sites independently.
2. Use security awareness training and phishing awareness training
Give employees access to proactive security awareness training and phishing awareness training to keep emerging phishing and social engineering threats top-of-mind for employees. Inform them of the most current and frequently used scenarios in phishing attacks.
3. Train internal cyber security ambassadors to raise awareness of phishing attempts
Appoint and train key team members as cyber security ambassadors to provide knowledge of cyber threats to employees. Building a training and mentorship program will educate your ambassadors, so they’re fully-equipped to support the next wave of ambassadors.
4. Update and protect all IT systems
Regularly patch and update all software, applications, and operating systems to ensure there are no vulnerabilities that attackers can exploit. Systems should also be protected by malware protection and anti-spam software to shut down potential entry points. Enable your incident response team to allow for quick response and remediation.
5. Produce cyber security and phishing campaign updates
Releasing timely communications to employees about new cyber threats and best practices will make sure they are prepared to combat the next generation of online scams. Sending out brief emails packed with actionable information on how to protect a password and other sensitive information or spot a phishing attack can help boost employee knowledge.
To help enterprises prepare to fight off similar phishing attacks, Terranova Security is launching the Gone Phishing Tournament in October to enable organizations to compete in phishing simulations against other industry peers, to see who gets the lowest click-through rate.
During the tournament, employees will undergo phishing simulations over a set period to measure how well they spot email scams. Once the contest is over, each organization receives a personalized analysis report and global benchmarking report to show how they stack up against other competing organizations.
If you want to see how your employees’ phishing detection skills compare to your competitors, register for the Gone Phishing tournament now.
Cyber Security Hub : Access Exclusive Cyber Security Content
Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.