Distinguishing what's real from what's fake on the internet has become a true challenge. A site that looks legitimate—with the correct logo and well-written messages—can actually be a trap designed to steal your personal information. The cybercriminals behind this new scam have perfected their methods: they precisely replicate Netflix’s visual design, using identical fonts, official colors, and messages that mimic the platform’s communication tone. Even the forms and buttons have the same appearance. This is no coincidence—hackers apply UX/UI (user experience and interface design) principles to make the fake pages intuitive, familiar, and trustworthy at first glance.
This week, a massive phishing campaign was launched using these near-perfect copies of Netflix to deceive users in Mexico. At least 74 fake domains have recently been created, all imitating the streaming platform’s design, language, and style to obtain login credentials and banking information through SMS messages.
These fraudulent sites are hosted on two distinct infrastructures, each with a specific IP address, and many remain active as of today, May 15, 2025. With over 13.87 million Netflix users in the country, the risk of falling for this scam is higher than you might think.
We’re not talking about just a couple of random fake websites—this is a well-organized and coordinated operation. Dozens of websites eerily mimic Netflix, and it all starts with something as simple as a text message.
One of the analyzed IP addresses hosts at least two domains that have been directly used in these fraudulent SMS messages: “nfiix-resub.com” and “resub-nfiix.com.” Meanwhile, another distinct IP hosts more than 70 fake sites with names like “netflix-payement.com,” “netflixfacturacion.com,” and “netflix-rec.com.” Many of these have been active since April and May 2025, making it clear that this is a recent operation—and far from over.
The servers hosting these sites are set up through services like Hostinger and NameSilo. These providers are popular among scammers because they allow domain registration with minimal verification and at low cost. This enables them to rotate links constantly—if one goes down or gets blocked, they already have others ready to continue the scam without interruption.
Read more: What is Phishing? Protect Yourself from Digital Deception
One of the most revealing findings is that one of the IP addresses used in this network of fake sites is linked to phone numbers starting with the 987 area code, which corresponds to the Cozumel region in Quintana Roo. Since late 2024, fraud attempts originating from this same number series had already been detected in campaigns impersonating banks like Citibanamex or platforms like Uber Eats.
Now, the messages are targeting Netflix users, suggesting that this network of scammers has evolved over time—changing the impersonated brand but keeping the same goal: to steal your personal and banking information.
The new wave of SMS began circulating in early May 2025. The messages, sent from Mexican phone numbers, warn about a supposed “problem with your Netflix profile” and urge you to urgently update your information via a link. The text usually reads something like:
“Netflix: Payment issue with your profile. Verify and update your information before [date] here: [domain].”
It’s designed to make you act without thinking, using the typical sense of urgency scammers rely on. And if you click the link, you land on a page that looks exactly like Netflix... but is only there to steal your information.
It all starts with a text message that feels urgent. If you click the link, you land on a page that—at first glance—looks just like the real Netflix site. It has the correct logo, colors, fonts… even a fake CAPTCHA to make you believe it’s secure.
First, you're asked to log in with your email and password. So far, everything seems normal. But right after, a message pops up saying you need to update your payment information, and a form appears asking for your credit card details.
This form is crafted with meticulous detail—not only does it perfectly mimic Netflix’s design, but it also checks whether the information you're entering is valid. And if you submit it, the next thing you see is a supposed “validation screen” asking you to wait a few seconds.
But the truth is, at that moment, your data has already been stolen. There’s no confirmation, no access to your account—nothing. Your information has been sent directly to the scammers, and if you don’t act quickly, the next step could be your bank account being drained.
Read more: Panic Click: The New Scam Spoofing Netflix
This scam is neither isolated nor new. In less than three months, dozens of fake websites have been created, with April and May 2025 seeing the highest activity. Almost all the domains follow a similar pattern: they use words like “account,” “renew,” “netflix,” “perfil,” or “pago.” Sometimes they even include deliberate misspellings (such as “nétflx” or “payement”) to avoid detection by browser filters or antivirus software.
Although Netflix has made it clear that it will never ask for your banking information via text message or email, the reality is that many people still fall for it. Why? Because the websites are extremely well-crafted, and the messages come from local phone numbers, which builds trust.
This combination of well-executed social engineering, extensive digital infrastructure, and mass messaging from Mexican phone numbers makes this type of fraud not only effective but increasingly common. And the worst part: it’s constantly evolving.
The sites are hosted on two different IP addresses, and several of them remain active and operational as of May 2025.