Should you send Netflix a selfie in which you hold your ID card to get your account reinstated? The answer is an emphatic no, but each one of us knows at least one person who would find the request unremarkable and proceed to do it.
The request is the last of several steps of the most recent Netflix-themed phishing campaign, which starts with an email purportedly coming from the streaming company and warning the recipient that their account is “on hold”:
Those who are more observant will notice immediately that the email does not address them by name (as you would expect an email from a company that already has that information) and that, in the subject line, “Netflix” is spelled with a weird character (the Greek letter chi instead of “x”).
But those who are not will be taken to a compromised, HTTPS-equipped web page mimicking Netflix’s login page, and asked to input their email and password, update their billing address and payment card information and, finally, to send the aforementioned selfie to confirm their identity:
Once they’ve gone through all the steps, they will be redirected to the legitimate Netflix login page.
Sophos’ Paul Ducklin advises users to never click on a login link or an account verification link in an email, but to keep their own record of where their favorite login pages are and find their own way to them.