Netflix phishing attack November 2017

Netflix’s use of DMARC reduced damage from huge email scam

DMARC, phishing

You may be aware that, last Friday, scammers sent out a phishing email to up to 110 million Netflix subscribers. The email included a link to a fake Netflix website that asked users to login and enter their credit card information.

However, a clear indication of a scam can be found higher up on this message: there is NO SENDER!Netflix phishing attack November 2017

Fortunately for Netflix customers (and unfortunately for the scammers), Netflix is responsible when it comes to email security. The scammers couldn’t claim to send from netflix.com because Netflix uses a security policy called DMARC to protect its domain against phishing attacks.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that allows domain owners to determine how unauthenticated emails are dealt with, among other things. Sending a phishing email “from” a domain that is not protected by DMARC is very easy. Scammers can change the “from” field to whatever they want. A phishing email with a bogus from address won’t pass email authentication, but it will still be delivered to inboxes unless a DMARC policy of “p=reject;” is in place.

The business who owns the domain should be responsible for a domain’s DMARC policy, not the customer, and the policy is a part of the domain’s DNS record—meaning it’s public record. We created a tool to check the DMARC policy for any domain. Netflix uses a reject policy, which means any unauthenticated emails will not reach inboxes. As a result, the scammers left the “from” field empty, which was a very clear indicator for Netflix customers this was not a legitimate communication from Netflix.

In this case, Netflix did all they could to protect their customers from attacks like this. But what can customers do to further protect themselves? Pay attention to small details like the from address. No legitimate emails are sent from “no sender.” It is also important to hover over links within an email before clicking on them. Hovering will display the domain the link points to next to the link or at the bottom of your browser. If the email is real, you should be able to login to the site by typing in the domain (in this case, netflix.com) yourself instead of clicking on an embedded link. Don’t click on suspicious or unfamiliar links in emails.

This is a cautionary warning for businesses who gather personal information such as credit cards from user accounts. Netflix properly utilized email security measures, but most other companies do not yet utilize DMARC.

The business is responsible for protecting its users from impersonation attacks and implementing DMARC is a great first step. The good news is that this doesn’t have to be a huge expense. Fraudmarc now offers free DMARC reports to help companies effectively use DMARC and other email authentication protocols including SPF and DKIM to protect their brand and their users from phishing attacks. Visit our homepage for a free email security checkup and get started securing your domain. Last month, we made  DMARC reporting services free for businesses of all sizes.

Menu