Scam Emails – Netflix Billing Problems

I’ve been getting a fair number of emails claiming to be from Netflix recently, telling me I have a problem with my account. It’s also blatantly obvious that they’re fake, so I’m not responding to them. But as the scammers are clearly desperate for attention, I’m only too happy to do a post highlighting their messages. Especially as they’re using a few sneaky little tactics to try and bypass spam filters and trick the human eye.

The Email

The messages I’ve been getting are all pretty much identical, but I’ve kept the most recent 3 for comparison purposes. Here’s a screenshot of the latest one:

From Name & Address

The most recent emails have all had NetFlix as the From name. Notice how the F is a capital letter – Netflix themselves do not write their name in this way. They use standard Title Case, with just a capital N at the start, while their logo image is all capitals.

And in the latest email, the scammers have gone one step further, to try and bypass any filters or rules blocking the term NetFlix. This time, they’ve changed the letter F to a special Unicode character. So it looks a bit like a letter F to the human, but to a computer it isn’t the same F character as before.

Furthermore, when you click on the name to see the actual address behind the name, it isn’t Netflix related in the slightest. For the latest 3 emails, the names and addresses have been:

1. NetFlix (eid45551211@hotmail.com)
2. NetFlix (bounces.2009100f@aztus.com)
3. Netℱlix (bounces.093333f@aztus.com)

Aztus claim to be “Quebec’s professional web host”, and its official language is French. Whereas NetFlix is an American company, so there is no reason for them to be using a French host. Nor would NetFlix use Hotmail either. All emails would come from Netflix.com only.

So, as usual, we already know the email’s fake before going any further. But let’s continue as usual anyway.

To Address

Easy one this. It’s addressed to “undisclosed recipients”, which means it’s gone to an entire mailing list of people, but all the addresses are hidden from the recipients. If the email were meant for me personally, it would have my address displayed openly, and it wouldn’t be going to anyone else.

Subject Line

Now, this is a bit sneaky, so much so that I’ve only just noticed their little trick by pasting the subject lines here.

To the naked eye, the subject lines of the last 3 emails appear to say:

1. Billing Issue – CXZ89491X
2. Billing Problem!
3. Billing Problem!

However, they actually don’t say that. The scammers know that many automated spam filters, and people who are fed up of receiving spam emails, might try and block the word “Billing” or the phrase “Billing Problem”, to stop getting these emails. So they’ve had to find a way around it.

And what they’ve realised is that, in certain fonts, an uppercase letter I looks pretty much identical to a lowercase letter L. So they’ve swapped them around. Uppercase I’s are now lowercase L’s and vice-versa.

This means the subject lines actually say:

1. BiIIing lssue – CXZ89491X
2. BiIIing ProbIem!
3. BiIIing ProbIem!

But to a casual viewer, it doesn’t look wrong. Even now it might not be obvious to you reading this, depending on your device and browser settings. It only became apparent to me when pasting the text into this post, because I’s and L’s are much more distinguishable from each other. Of course, if you’re using a screenreader that speaks text to you, the anomaly will be obvious I’m sure. I imagine having 4 letter I’s in a row in “Billing” is going to sound a bit weird, along with the L at the start of “issue”.

This all basically means that filters or rules looking for the the word “Billing” won’t work. You would need to specify all possible combinations of I’s and L’s to filter emails that way. Indeed, if the scammer’s use of a special F character in the From name is any indication, they might find ways of using other characters in the word “Billing” as well.

Message

The message – which is the same on all the emails I’ve had – appears to be based on an official Netflix email that the scammers have heavily modified for their own purposes. As such, the message starts with the Netflix logo to make it look official, which is taken from:

http://cdn.nflximg.com/us/email/logo/newDesign/logo_v2.png

That site appears to be owned by Netflix, so perhaps they use it as a repository for their email and marketing graphics.

After that, we then get the text of the message:

Reset your information

Hi,

Some information on your account appears to be missing or incorrect.

Obviously we’d love to have you back. If you change your mind, simply restart your membership to enjoy all the best TV shows & movies without interruption.

VERIFY MEMBERSHIP

We’re here to help if you need it. Visit the Help Center for more info or contact us.

-The NetFlix Team

Apart from NetFlix being written with a capital F yet again, there are a couple of other important details to note.

Firstly, it doesn’t address me by name. All of the emails I’ve had from Netflix, including the advertising messages they send me, include my name (often in the subject line as well as the main body of the message). There is also another unique element in the footer that I’ll get to later. But as this scam message have my name, it’s not aimed at me specifically.

The message says they would love to have me back if I change my mind, which implies I’ve left the service. Yet it also says I need to reset my information as if there’s something wrong with it. And the subject line claimed there was a billing problem. So there’s a lot of contradiction and inconsistency here. If there were a genuine billing problem, the text of the message would be much more geared towards that subject.

Links

The “Verify Membership” link is obviously the key part of the email, as that’s what the scammers want you to click on. However, as you’ll have guessed, it doesn’t point to Netflix at all. In fact, it’s pointed somewhere slightly different with every message:

• https://is.gd/vRXLav
• https://is.gd/nV2ERJ
• https://is.gd/Olc4gC

The is.gd website is a URL shortening site, allowing you to generate a short link that points to a much longer one. Better known sites for this are Bit.ly and Tiny URL, as two other examples. It also has the effect, therefore, of hiding what the real address is. You won’t know where it’s pointing to until you click the link and get redirected. But that’s obviously very dangerous where a scam email is concerned. is.gd do have a spam policy, but it’s evidently proving easy for the scammers to keep creating new links regularly.

There are sites that allow you to expand short URLs to see where they’re pointing, without actually taking the risk of visiting them. But I’ve tried a few with no success, because it looks like either is.gd or the scammers are quickly disabling the links. If I get another email from them though, I’ll try and establish the address before they disable it and update this post. It won’t be pointing to the Netflix site though, I can guarantee that.

Update: I have since received another identical email from the scammers, and was able to track the URL. It was using another is.gd link, and the Expand URL site shows it redirects you to a site that clearly isn’t Netflix (I’ve removed the http prefix so hopefully it isn’t clickable):

attemptes.flywheelsites.com/wp-content/plugins/ubh/logabod/1c3d8080cd282bccd41521518/

Interestingly, the address suggests they’re using a WordPress plugin, but I’m not going to visit the link to find out what it does.

Netflix doesn’t use URL shortcodes in its emails though, because they don’t need to. Their links always point directly to pages on Netflix.com itself, so if a link isn’t pointing there, don’t click it. Interestingly, the scam message mentions going to the Help Center for further information, but doesn’t include a link to it. Whereas I have official emails from Netflix where the words Help Center are a direct clickable link to the correct part of the Netflix.com website.

But as always, if you’re in any doubt as to whether a link is safe, don’t click it. If you’re worried there might be a problem with your Netflix account, go to the official Netflix site yourself, using a bookmark in your browser, or searching for Netflix on Google, or whatever. Don’t click any links in the email itself.

Footer

After the main body of the message, there is yet further evidence that the message is fake. And there’s actually more here than you might think at first glance.

The text in the black box is an official footer copied from an official Netflix email, but has again been modified by the scammers slightly:

Questions? Visit the Help Center

This account email has been sent to you as part of your NetfIix membership. To change your email preferences at any time, please visit the Communication Settings page for your account.

Please do not reply to this email, as we are unable to respond from this email address. If you need help or would like to contact us, please visit our Help Center at help.netfIix.com.

This message was mailed to [you] by Netflix.

SRC: 12514_en_MA

Use of the NetfIix service and website is subject to our Terms ofUse and Privacy Statement.

?NetfIix International B.V.?

There are again various things to note here:

• “This message was mailed to [you] by Netflix.” – This is an important part of the footer to check. Official Netflix emails contain your email address in square brackets in this sentence, to prove who was meant to receive the email. But as the scammers can’t easily do that (although it’s certainly not impossible), they’ve just replaced it with the generic word “you”, rendering the sentence meaningless.
• The text “Help Center” in the first line looks like it should be a clickable link, but it isn’t. In a proper Netflix email, this would certainly be clickable.
• Other links in the box do work, however, and do actually point to the proper Netflix.com website. This helps to give the impression that the email is genuine, leading you to assume that the “Verify Membership” link above is also safe, when it isn’t. That said, the scammers could also update these footer links to point to the same dodgy addresses as above if they wanted to, they just haven’t done so yet.
• The “Terms of Use” link is messed up. All 3 words should be part of the link, but only the word “Use” has been linked here, and the space after the previous word has been removed.
• References to the word “Netflix” in the footer don’t have a capital F, making them inconsistent with the rest of the message.

But wait, there’s a big empty section below that black box. And there appears to be a blue underline all on its own, suggesting there’s a link there. So let’s highlight that area and see what appears…

Well, well, the plot thickens, although not as effectively as one in a decent Netflix movie.  Now we can see extra text that relates to… er… car hire and air travel?

Reduced Deposit Terms & Conditions *Reduced Deposit applies to bookings made at least 6 weeks in advance of pickup. Outstanding balance taken 4 weeks before pickup. Offer ends 31/01/2019. Deposit amounts vary on car type and total price of car, are non-refundable and will be cl

Ryanair D.A.C. (Company No. 104547).
Dublin Office, Airside Business Park, Swords, Co. Dublin, Ireland.early illustrated on scre

Reduced Deposit Terms & Conditions *Reduced Deposit applies to bookings made at least 6 weeks in advance of pickup. Outstanding balance taken 4 weeks before pickup. Offer ends 31/01/2019. Deposit amounts vary on car type and total price of car, are non-refundable and will be cl

Ryanair D.A.C. (Company No. 104547).
Your My FlightNetwork® temporary password is: 8YTue91R

Please click here to confirm that we’ve got the right email for you.

If you’re having trouble confirming your registration, copy and paste
the following URL into your browser:
Once you verify your account, you’ll be able to change your password to
something that you’ll remember.

For some reason, presumably a further attempt to trick spam filters, the scammers have used an email from My Flight Network, on top of which to build their Netflix email. They’ve mangled the text of the footer in the process, so some words and sentences are incomplete and some information is missing. The only clickable link is in the sentence “Please click here to confirm that we’ve got the right email for you.”, which appears to be an official verification link to the My Flight Network website.

So it’s a very odd addition to the email, and they’ve attempted to hide it by making the text white. But if you ever see a large blank space at the bottom of a suspicious email, chances are it contains a random footer like this, so it’s worth highlighting that area to see what it contains. If you hover over your mouse cursor over the area and it changes from an arrow to a text cursor, then you know there’s text there you can highlight. Or when you have the message open, use Select All (e.g. Ctrl+A on Windows or Command+A on Macs) to highlight everything in the message. But whatever way you do it, if it bears no relation to the rest of the message, that’s further evidence that it’s a scam. Although by the time you reach the footer you should already have reached that conclusion long ago.

Conclusion

We didn’t need to go through the message in detail to discover that it was fraudulent. Just by taking any individual aspect of it, there’s ample evidence to prove it. But it just goes to show how many clues scammers leave behind to give themselves away. And there are scammers who are much more sophisticated than this, and can make their emails look much more believable and professional. So it’s well worth knowing how to dig through an email to check its authenticity, by looking for anomalies and mistakes.

If you have received an email like this and you did click the link, then you need to be very careful. If you were asked to enter your login details, and did so, you must change your Netflix password immediately. That way, the scammers can’t log in and view your details, and can’t use the service at your expense. And regardless of whether or not you were asked to do that, make sure you run a scan with an up-to-date virus scanner on your computer, just in case something nasty downloaded in the background. And if you’re worried about your payment data, keep an eye on your bank account and contact your bank if you see any transactions you don’t recognise (which is good general practice anyway).

And remember, if anything in an email ever gives you any cause for doubt, no matter how small, don’t click on anything in the message or respond to it directly. Instead, go to the official company’s website, via your own bookmarks or Google, and contact them that way. If it’s genuine, they’ll tell you, and if it’s not, they’ll be grateful for the warning. Stay vigilant and safe as always!