If you create any sort of online content at all – even if you’re just a once-in-a-while blogger or an occasional social media user – you’re almost certainly be aware how easy is is for other people to rip off your material and present it as their own.
We’re not talking about links, shares, retweets, and so on, which are legitimate ways for people to re-promote your work.
We’re referring to outright scraping, copying or republishing of your original content by someone else, as though they created the material themselves…
…without ever bothering to ask for permission.
At the same time, you’ll also know how easy it is to get accused of copyright wrongdoing yourself, even if you’re always careful only to use third-party material in accordance with the original creator’s licensing guidelines.
Because of the frequent argy-bargy that surrounds online copyright issues, social networks have established formal procedures for making complaints and appealing against takedowns.
Instagram’s procedures, for example, are listed in some detail on its official help page, which explains both how to complain if you think you’ve been ripped off, and how to respond if you’ve been falsely accused.
Enter cybercrime
As you can imagine, cybercriminals have learned how to use copyright infringement notices as bait in phishing scams.
By pretending to be a social network such as Instagram, they try to scare you into thinking that there’s an official copyright complaint against you..
…whilst at the same time giving you a quick and easy way of replying to repudiate the complaint.
The criminals know that the complaint is totally bogus, and they know that you know it’s bogus.
But instead of leaving you to realise that it’s bogus because there was no complaint in the first place, they trick you into thinking that the complaint was real, but that the bogus part was the accusation made by the complainer.
To do this, they don’t accuse you themselves, and they don’t threaten to sue; instead, they offer you an easy way to “prove” your “innocence” by providing a link to object to the “complaint”.
While we hope that you’d spot an email scam of this sort right away, we have to admit that some of the copyright phishes we’ve received in recent weeks are much more believable – and better spelled, and more grammatical – than many of the examples we’ve written about before.
Like this one:
Hello, @nakedsecurity
We recently received a complaint about a post on your Instagram. Your post has been reported as infringing copyright.
Your account will be removed if no objection is made to the copyrighted work. If you think this determination is incorrect, please fill out the objection form from the link below.
The [Appeal] button in this example uses a shortened link (this one comes from from bit.ly), but whether you check the desintation of link in advance or click through anyway, the resulting website doesn’t look as bogus as you might expect.
To check a bit.ly link before visiting it, paste the link into your browser’s address bar and add a plus sign (+) at the end, which tells bit.ly to show you the expanded version without redirecting to it.
Here, the crooks have registered the fake-but-not-too-far-off domain name fb-notify DOT com, and the link you’re given takes you to a personalised scam page that explicitly references your account:
In the screenshot above, the account statistics are correct, or they were at the time we received the email, and the image shown does indeed come from our Instagram page. (Amusingly, and ironically, that means the email itself infringes copyright.)
In other pages linked to by these scammers, the image scraped by the crooks always seemed to the post-before-last on the victim’s Instagram page. That might have been a coincidence, or it could be a deliberate ploy by the crooks to pick an image recent enough that you’ll remember posting it, but not so recent that the copyright complaint might seem too sudden.
The sting
Anyone who gets this far is almost certainly starting to believe the scam, which would make the next page seem unexceptionable enough, especially given the HTTPS padlock and the sort-of-OK-looking fb-notify domain name:
There’s then a second fake password check, based on claiming you made a typing mistake, presumably as a simple way for the crooks to discard login attempts where the user clearly just typed in any old garbage to see what happened:
Then there’s a believable enough message to tell you that your appeal was submitted successfully:
Finally, the criminals sneakily redirect you to the genuine Instagram copyright help page we listed above, presumably to distract your attention and get you away from that telltale fb-notify page:
What to do?
- Don’t click “helpful” links in emails. Learn in advance how to handle Instagram copyright complaints, so you know the procedure before you need to follow it. Do the same for the other social networks and content delivery sites you use. Don’t wait until after a complaint arrives to find out the right way to respond. If you already know the right URL to use, you never need to rely on any link in any email, whether that email is real or fake.
-
Think before you click. Although the website name in this scam is somewhat believable, it’s clearly not
instagram.com, which is what you would expect. We hope you wouldn’t click through in the first place (see point 1), but if you do visit the site by mistake, don’t be in a hurry to go further. A few seconds to stop and think is time well spent. - Use a password manager and 2FA whenever you can. Password managers help stop you putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before. And 2FA (those one-time codes you use together with a password) make things harder for the crooks, because your password alone is no longer enough to give them access to your account.
- Talk to a friend you know face-to-face who’s done it before. If you are active on social media or in the blogosphere, you might as well prepare in case you ever get a copyright infringement notice for real. (We’re assuming the accuation will be false, but the complaint itself will actually exist.) If you know someone who who has already gone through the genuine process once, see if they’ll tell you how it went in real life. This will make it much easier to spot fake complaints in future.
- Watch our video below for additional advice. Early in 2021, we presented a short Facebook Live talk looking at the history and evolution of this type of scam. If you have any friends who rely on social media to generate income, and who might be worried about getting cut off from their accounts, show them the video to protect them from tricks like this one.
Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.
