An announcement from the Defense Information Systems Agency (DISA) is warning Department of Defense users about a new Netflix phishing scam affecting approximately 110 million individuals and growing. Phishing scams involving Netflix are nothing new – the popular streaming platform has prompted a number of spoof emails targeted the site’s larger user base and trying to encourage users to provide personal and financial information.
DISA’s January message warns the messages continue to be prevalent, and are very dangerous for DoD account users and security clearance holders:
A phishing scam targeting millions of Netflix users is spreading across the internet this week directing customers to update the financial details of their accounts. The subject line is “Your suspension notification,” and the body of the email informs victims that their accounts have been suspended due to a billing issue. The email directs recipients to click a link that redirects to a fake Netflix landing page. The fake landing page directs victims to input their user information and billing details in an effort to harvest credentials.
You may think the average DoD user is way too smart and way too trained to fall victim to something as simple as a phishing email. If you talk to security officers in any government agency or defense contractor, and they’ll tell you spear phishing emails still work, and are still a risk for employees. Some individuals falsely assume a phishing email will look as fake as it is. These emails are designed to be sophisticated, and look identical to legitimate emails from the same source.
How Can You Arm Yourself Against a Spear Phishing Attack?
The DISA memo makes one strong argument for helping to protect your company against a cyber attack – don’t sign up for commercial services with your government email address, and don’t use a work email address to access social networking sites or streaming services. Again, it seems like an odd request, until you remember there were .gov and .mil addresses in the hacked Ashley Madison database.
If a message is unsolicited or unprompted, don’t click on the email – go directly to your account or profile to see if there’s a problem. Don’t click on ANY links in an email that’s at all out of the ordinary (and sometimes, don’t click on links in emails that seem ordinary).