Netflix and Phish: A Reminder to Think Before You Click

Hey, gang! Happy Monday! Did you have a good weekend? Binge-watch anything good on Netflix? (You do have a Netflix account, right? I mean, everyone does.) By the way, can I have your Netflix password?

I sincerely hope you said no. After all, a lot of what we’ve talked about in the past few weeks has been about internet safety and password protection. But there is a new phishing attack out there that looks pretty convincing, and you could end up letting someone watch all the movies their heart desires on your dime.

Something Phishy

Now, we’ve already talked about phishing before.  Phishing is the most common cyberattack that we know–most people get suspicious e-mails and know not to send their life savings to that Nigerian prince. But what if you get a message from someone that sounds legitimate? What if you get an e-mail regarding your payment information from Netflix?

That’s what’s been going on lately. Netflix has been a popular target for the past couple of years, but there has been a resurgence in the last month or so of phishy e-mails. You may see the familiar company logo, with a big friendly button to click and update your account details. And the reason for the message? Lately, they’ve been reading along these lines:

“We recently failed to validate your information, we hold on record for your account we need to ask you to complete a brief validation process in order to verify details. Once that information has been updated, you can continue enjoying Netflix. please click the button below to get started.”

Sounds legit, right? Some glitch in the matrix messed up your account, so all you have to do is just re-verify your stuff so you can get back to binging the second season of A Series of Unfortunate Events (Neil Patrick Harris’s Count Olaf is my favorite villain right now, y’all). So clickety on that button, and it takes you to a Netflix page, and you input your e-mail address, your password, your credit card number, and that’s it. You’re good to go, right?

Except by doing so, you’ve been taken to a fake website specially constructed to look like it’s a Netflix page. And you just gave your password and credit card information to that Nigerian Prince (or Russian rogue, or whatever masked bandit is on the other end).

Why Netflix?

“But Wordsmith, my friend,” you say. “Why on earth would anyone care about my Netflix account? It’s not exactly like they’re getting to my money from Netflix.” True. They may be watching movies on your dime, but that’s not the same as funneling cash from your bank account. (I mean, I’m not really cool with the idea of anyone freeloading on my Netflix account, but you might be.)

Except for a couple of things. One, if you input your credit card information on the fake website, you just gave them access to go shopping on your tab. Two, and this one is REALLY IMPORTANT, a LOT of people use the same password for a lot of different accounts. Because we have trouble remembering passwords, we’ll recycle the same one for Netflix, Facebook, Amazon, bank accounts, medical records, Instagram, everything.

If you’re in this boat (you know who you are), then if you fall for one phishing e-mail, you’ve given up access to your whole life. And if you don’t recycle the same password, there is a group of people out there who use the same password with a variation by one character. For example, you may have a series of password1, password2, password3. Even if they didn’t get your bank password, they have enough information to try to crack it.

But there is hope. For one, you’re smart enough NOT to fall for the scheme when you find it in your inbox. And for two, there are ways to protect yourself just in case of an accidental click.

Helpful Hints

1. Never click an e-mail link in the first place.

If you really want to check into the veracity of the message, go to the main webpage of the company instead of clicking the link. If it’s real, there should be something on the webpage with directions on how to handle the situation.  If you’re directed to call a phone number, independently verify the company’s phone number–don’t just use the number provided in the e-mail.  If the e-mail comes from the masked bandits, the phone number is going to ring directly to them–of course they’re going to tell you everything’s fine!

2. Make sure your passwords are different for each account.

Having the same password for every account you have is the equivalent of leaving the door unlocked. A thief may not be looking to forcibly break into your car—he may just check the door to see if it’s unlocked. If it’s unlocked, he’ll go through everything and take what he wants. Same concept for your online passwords–the first thing an attacker will do is try that password on other accounts. If it works, then all of your information is ripe for the picking. Don’t let this happen to you–have different passwords for everything.

Not only should you have different passwords, but they should be kind of complicated. If it’s a combination of words familiar to you, that can make it easier for someone with a little know-how and a few extra tools to crack (they call it a “dictionary attack”). The best practice is to have a combination of upper-case and lower-case letters along with numbers and symbols (you know, the wing-a-dings on top of the numbers on your keyboard). “gT5$9ih%U” is a more complicated password than “SallysMom1” and is more difficult for someone to crack.

Bottom Line: If you make things more difficult for an attacker, the less likely they are to persevere–chances are they’re looking for the low-hanging fruit.

3. Consider using a password manager.

Of course, if you’re making your passwords more complicated (like you should), chances are good that you will have trouble remembering them (that’s kind of the point–it shouldn’t be too easy). That’s where a good password manager will come into play. We’ve touched on password managers in the past, as well.

Password managers exist to make your life easier AND more secure.  You don’t have to choose between protecting your information and ease of access.  The idea is that a password manager stores your passwords in an encrypted format (so outsiders can’t read them), and you can access all your passwords in one place. It’s more secure than, say, a spreadsheet on your PC titled “Passwords.” (We’ve seen people do that before, and it makes us break out in hives.)

It’s also more secure than writing them down on a piece of paper on your desk. You never know who could walk by and see it or snatch it up. Many password manager programs also have a feature that allows you to generate complex passwords when you need a new one, and then save it for future access. It takes the hard part out of coming up with passwords–you don’t even have to think of one if you don’t want to. Even better, you don’t have to remember if the % comes before or after the G.

As always, friends, the Wordsmith does not get paid for anything that we’ve mentioned in this post. We would be ever grateful if you subscribe to our e-mail list, and/or follow us on Facebook or Twitter.