Skip to main content
Jump to navigation
netflix devices

There's a new Netflix scam doing the rounds, this time targeting users of Google's Gmail email service.

It exploits a quirk within Gmail that doesn't differentiate between Gmail addresses that have dots and those that don't. In other words, it reads johnsmith@gmail.com as the same as john.smith@gmail.com.

The problem is, other sites – like Netflix – do differentiate between dotted addresses and those without. The scam sends an email telling you to update your payment details. This is what happened to a developer called James Fisher.

He clicked the link, and only realised something was wrong when he noticed the card registered to his account wasn't his. It turned out the email was sent to james.hfisher@gmail.com, when his legitimate email address is jameshfisher@gmail.com. Because Gmail doesn't differentiate, the email reached his inbox.

Because you don't need to verify the email address linked to your Netflix account when you sign up, there's a simple way for scammers to get your card details. All they need to do is find a Gmail address that's already registered with Netflix, create a Netflix account using that address but with some dots added in, sign up for a free trial and then cancel the credit card they used to register.

Netflix would then email the Gmail account user to request their payment details. Seeing their account was on hold, the account owner would probably update their card details, unwittingly providing them to the scammers.

The man who spotted the flaw says Google should flag up emails sent to variant email addresses with a warning. "The Gmail team should combat this kind of phishing," he wrote. "They should officially acknowledge that dots-don't-matter is a misfeature."

Google hasn't yet commented on the issue.

Netflix said it was working on countering the scam.

"We are aware of this Gmail-specific feature and are actively working on measures to protect against it being used in a malicious way toward Netflix and our members," a spokesperson told TrustedReviews. "Netflix members who want to learn more about how to keep their personal information safe against scams and other malicious activity can go to netflix.com/security and should contact Customer Service immediately if they notice anything that is out of the ordinary with their account."

Source: James H Fisher, via The Register and TrustedReviews

Join the conversation

comments powered by Disqus

Stay up to date

  • Google+ Follow uSwitchTech
  • Subscribe to our RSS feed

Latest comments

  • Dave Beck 4 months ago EU portability streaming law:... Netflix already provide a service if the country has a Netflix service. My UK Netflix account works for US...
  • Robert KołOdziej 4 months ago EU portability streaming law:... Netflix, for example, detects and blocks VPN. Tried it and failed just before Easter when we were abroad....
  • Vorteilspack 4 months ago Is Netflix making its own news... Oh no! Whoever told Netflix to do that did a good job sucking up money for something the world doesn't...

Search news