There's a new Netflix scam doing the rounds, this time targeting users of Google's Gmail email service.
It exploits a quirk within Gmail that doesn't differentiate between Gmail addresses that have dots and those that don't. In other words, it reads firstname.lastname@example.org as the same as email@example.com.
The problem is, other sites – like Netflix – do differentiate between dotted addresses and those without. The scam sends an email telling you to update your payment details. This is what happened to a developer called James Fisher.
He clicked the link, and only realised something was wrong when he noticed the card registered to his account wasn't his. It turned out the email was sent to firstname.lastname@example.org, when his legitimate email address is email@example.com. Because Gmail doesn't differentiate, the email reached his inbox.
Because you don't need to verify the email address linked to your Netflix account when you sign up, there's a simple way for scammers to get your card details. All they need to do is find a Gmail address that's already registered with Netflix, create a Netflix account using that address but with some dots added in, sign up for a free trial and then cancel the credit card they used to register.
Netflix would then email the Gmail account user to request their payment details. Seeing their account was on hold, the account owner would probably update their card details, unwittingly providing them to the scammers.
The man who spotted the flaw says Google should flag up emails sent to variant email addresses with a warning. "The Gmail team should combat this kind of phishing," he wrote. "They should officially acknowledge that dots-don't-matter is a misfeature."
Google hasn't yet commented on the issue.
Netflix said it was working on countering the scam.
"We are aware of this Gmail-specific feature and are actively working on measures to protect against it being used in a malicious way toward Netflix and our members," a spokesperson told TrustedReviews. "Netflix members who want to learn more about how to keep their personal information safe against scams and other malicious activity can go to netflix.com/security and should contact Customer Service immediately if they notice anything that is out of the ordinary with their account."