This Creative Phishing Scam Uses Netflix Job Offers to Steal Facebook Credentials

Scammers are getting increasingly creative in targeting their phishing campaigns: A new attack spotted by Malwarebytes Labs appears to be aimed specifically at jobseekers in marketing and social media roles who may have access to Facebook business accounts belonging to their current employer.

The end goal, besides stealing credentials, could be to compromise said business accounts by running malicious ads on the company’s dime, demanding a ransom, or spreading additional scams based on customer trust in the brand.

Netflix impersonators are targeting prospective employees

This campaign begins with an email that appears to come from the recruitment team at Netflix. It starts with some flattery and goes on to describe an opening for a leadership role, such as the VP of marketing, that’s likely to make sense for the recipient. The screenshot from Malwarebytes Labs shows the sender’s email address as talents[at]netflixtalentnurture[dot]com, which, while not Netflix’s official domain, is somewhat plausible.

This scam probably isn’t much of a threat unless you respond to the initial email. You shouldn’t—but if you did, you’d get a second message with an invitation to schedule an interview with the “Netflix HR team.” Clicking through the scheduling link will pull up (fake) interview slots to choose from, and if you select one, you’ll be prompted to create or sign into your Netflix “Career Profile” account.

This is where the risk increases significantly. You can select either “Continue with Facebook” or “Continue with Email,” both of which will lead you to a spoofed Facebook login screen. If you enter your credentials, the attackers now have them and can log into your real Facebook account instantly. If you have two-factor authentication set up for Facebook, they can even request and enter your code depending on the method you use.

The Malwarebytes team found that if you enter your username and password incorrectly, you’ll receive an appropriate response of “The password you’ve entered is incorrect. Please try again!” This makes the login page itself an especially sophisticated element of this attack, as threat actors can intercept and utilize your information in real time.

Job scam red flags

This Netflix-to-Facebook job scam is relatively sophisticated in who it targets, how it uses trusted company names, and its multi-step approach to phishing your information, but there are some red flags.

Redirecting to Facebook to schedule an interview is a red flag, though it’s not the most obvious one. Many users are accustomed to using Facebook and Google to log into third-party sites. If you actually check the URL on the redirected login page, though, it isn’t a Facebook domain.

You should always scrutinize URLs for emails and links before you click by hovering over them—in this case, none of the websites live on official Facebook or Netflix domains. If you do open a webpage, look carefully at the address in the browser bar to identify fakes. Scammers use company branding to make the fraudulent site appear almost indistinguishable from a real one.

While you may have received legitimate messages from recruiters via email or on LinkedIn, you should still be wary of offers for positions you haven’t applied for or that sound too good to be true. Don’t click links without verifying the sender, and don’t enter login credentials or provide sensitive information along the way.

There are other job common scams that involve unsolicited offers for dream positions that are fully remote and highly paid. Scammers may also impersonate headhunters and ask you to pay a fee for their application and placement services. Never pay anyone for anything related to hiring or onboarding (unless you have sought out the services of a professional yourself) or agree to deposit checks or purchase gift cards, as this almost always ends with you losing money.