If you create any sort of online content at all – even if you’re just a once-in-a-while blogger or an occasional social media user – you almost certainly know how easy it is for other people to rip off your material and present it as their own.
We’re not talking about links, shares, retweets, and so on, which are legitimate ways for people to re-promote your work.
We’re referring to outright scraping, copying or republishing of your original content by someone else, as though they created the material themselves…
…without ever bothering to ask for permission.
At the same time, you’ll also know how easy it is to end up accused of copyright wrongdoing yourself, even if you’re always careful only to use third-party material in accordance with the original creator’s licensing guidelines.
So, given the frequent argy-bargy that surrounds online copyright issues, many social networks have established formal procedures for making complaints and appealing against takedowns.
Instagram’s procedures, for example, are listed in some detail on its official help page, which explains both how to complain if you think you’ve been ripped off, and how to respond if you’ve been falsely accused.
Enter cybercrime
As you can imagine, cybercriminals have learned how to use copyright infringement notices as bait in phishing scams.
By pretending to be a social network such as Instagram, they try to scare you into thinking that there’s an official copyright complaint against you..
…whilst at the same time giving you a quick and easy way of replying with a counter-claim of your own.
The criminals know that the complaint is totally bogus, and they know that you know it’s bogus.
But instead of leaving you to figure out that it’s bogus because there was no complaint in the first place, they trick you into thinking that the complaint was real, but that the bogus part was the accusation made by the complainer.
To do this, they don’t accuse you themselves, and they don’t threaten to sue; instead, they offer you an easy way to “prove” your “innocence” by providing a link to object to the “complaint”.
While we hope that you’d spot an email scam of this sort right away, we have to admit that some of the copyright phishes we’ve received in recent weeks are much more believable – and better spelled, and more grammatical – than many of the examples we’ve written about before.
Like this one:
Hello, @nakedsecurity
We recently received a complaint about a post on your Instagram. Your post has been reported as infringing copyright.
Your account will be removed if no objection is made to the copyrighted work. If you think this determination is incorrect, please fill out the objection form from the link below.
The [Appeal]
button in this example uses a shortened link (this one comes from from bit.ly), but whether you check the destination of the link in advance or click through anyway, the resulting website doesn’t look as bogus as you might expect.
To check a bit.ly link before visiting it, paste the link into your browser’s address bar and add a plus sign (+
) at the end, which tells bit.ly to show you the original link without redirecting to it.
Here, the crooks have registered the fake-but-not-too-far-off domain name fb-notify DOT com
, and the link you’re given takes you to a personalised scam page that explicitly references your account:
In the screenshot above, the account statistics are correct, or they were at the time we received the email, and the image shown does indeed come from our Instagram page. (Amusingly, and ironically, that means the email itself infringes copyright.)
In other pages linked to by these scammers, the image ripped off by the crooks always seemed to be scraped from the second-to-last post on the victim’s Instagram page. That might have been a coincidence, or it could be a deliberate ploy by the crooks to pick an image recent enough that you’ll remember posting it, but not so recent that the copyright complaint might seem unrealistically quick.
The sting
Anyone who gets this far is almost certainly starting to believe the scam, which would make the next page seem unexceptionable enough, especially given the HTTPS padlock and the sort-of-OK-looking fb-notify
domain name:
The website then pretends you made an error typing in your password and tells you to try again, presumably as a simple way for the crooks to discard login attempts where a user clearly just bashed out any old garbage on the keyboard to see what happened next:
Then there’s a believable enough message to tell you that your appeal was submitted successfully:
Finally, the criminals sneakily redirect you to the real Instagram copyright page that we listed above, presumably to add an air of legitimacy that leaves you on a genuine website:
What to do?
- Don’t click “helpful” links in emails. Learn in advance how to handle Instagram copyright complaints, so you know the procedure before you need to follow it. Do the same for the other social networks and content delivery sites you use. Don’t wait until after a complaint arrives to find out the right way to respond. If you already know the right URL to use, you never need to rely on any link in any email, whether that email is real or fake.
- Think before you click. Although the website name in this scam is somewhat believable, it’s clearly not
instagram.com
orfacebook.com
, which is almost certainly what you would expect. We hope you wouldn’t click through in the first place (see point 1), but if you do visit the site by mistake, don’t be in a hurry to go further. A few seconds to stop and double-check the site details would be time well spent. - Use a password manager and 2FA whenever you can. Password managers help to prevent you putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before. And 2FA (those one-time codes you use together with a password) make things harder for the crooks, because your password alone is no longer enough to give them access to your account.
- Talk to a friend you know face-to-face who’s done it before. If you are active on social media or in the blogosphere, you might as well prepare in case you ever get a copyright infringement notice for real. (We’re assuming the accuation will be false, but the complaint itself will actually exist.) If you know someone who who has already gone through the genuine process once, see if they’ll tell you how it went in real life. This will make it much easier to spot fake complaints in future.
- Watch our video below for additional advice. Early in 2021, we presented a Facebook Live talk looking at the history and evolution of this type of scam. If you have any friends who rely on social media to generate income, and who might be worried about getting cut off from their accounts, show them the video to protect them from tricks like this one.
Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.
Anonymous
So where would you go outside of the email link to check to see if it’s a real claim? Real companies sometimes use different URLs for special processes, and FB/Instagram customer service is not known for being especially responsive.
Paul Ducklin
The link for the official copyright complaint process info page is listed in the article. It explains both how Instagram will contact you and what you can do in reply.
Nathanael Tan
So glad you didn’t mention one thing I noticed and I’m sure we’re all better off not mentioning anything since articles like these are a double-edged sword which helps both victims as well as perpetrators but keep up a good work.
Instagram itself is still crap though, I’ve received legitimate copyright warnings before and those are laughable.
Big Al
Thanks for the tip on checking bit.ly Links!
Robert Richards
What are they getting other than your instagram credentials? I don’t see the purpose to this elaborate ruse.
Paul Ducklin
Social media credentials are worth more than you might think. First, the crooks get control of an account without having to set a new one up (which takes a lot longer than it used to, especially compared to sending out zillions of similar emails and waiting to see what happens). Second, it gives them direct and believable access to promote dodgy investments and so on to your friends and family.
You might want to watch the video, where this and other issues get discussed.
David Heath
My wife is an expert photo restorer / retoucher. You’d be amazed how often we find her “before / after” pics on other commercial sites where they claim the images to be examples of their work! The most hideous example was by a school teacher at a well-known Sydney private school who recorded a video roughly repeating the steps to achieve the outcome, but making some VERY disparaging comments about the subject in the image… for some other images that he took from her site, he merely claimed them as examples of his work. We wrote a VERY stern letter directly to the headmaster! This fool was some kind of Apple-authorised Educator (I don’t recall the exact terminology) and we contemplated having his certification revoked, but eventually didn’t.
Google image-search is your friend.