If you create any sort of online content at all – even if you’re just a once-in-a-while blogger or an occasional social media user – you almost certainly know how easy it is for other people to rip off your material and present it as their own.
We’re not talking about links, shares, retweets, and so on, which are legitimate ways for people to re-promote your work.
We’re referring to outright scraping, copying or republishing of your original content by someone else, as though they created the material themselves…
…without ever bothering to ask for permission.
At the same time, you’ll also know how easy it is to end up accused of copyright wrongdoing yourself, even if you’re always careful only to use third-party material in accordance with the original creator’s licensing guidelines.
So, given the frequent argy-bargy that surrounds online copyright issues, many social networks have established formal procedures for making complaints and appealing against takedowns.
Instagram’s procedures, for example, are listed in some detail on its official help page, which explains both how to complain if you think you’ve been ripped off, and how to respond if you’ve been falsely accused.
Enter cybercrime
As you can imagine, cybercriminals have learned how to use copyright infringement notices as bait in phishing scams.
By pretending to be a social network such as Instagram, they try to scare you into thinking that there’s an official copyright complaint against you..
…whilst at the same time giving you a quick and easy way of replying with a counter-claim of your own.
The criminals know that the complaint is totally bogus, and they know that you know it’s bogus.
But instead of leaving you to figure out that it’s bogus because there was no complaint in the first place, they trick you into thinking that the complaint was real, but that the bogus part was the accusation made by the complainer.
To do this, they don’t accuse you themselves, and they don’t threaten to sue; instead, they offer you an easy way to “prove” your “innocence” by providing a link to object to the “complaint”.
While we hope that you’d spot an email scam of this sort right away, we have to admit that some of the copyright phishes we’ve received in recent weeks are much more believable – and better spelled, and more grammatical – than many of the examples we’ve written about before.
Like this one:
Hello, @nakedsecurity
We recently received a complaint about a post on your Instagram. Your post has been reported as infringing copyright.
Your account will be removed if no objection is made to the copyrighted work. If you think this determination is incorrect, please fill out the objection form from the link below.
The [Appeal] button in this example uses a shortened link (this one comes from from bit.ly), but whether you check the destination of link in advance or click through anyway, the resulting website doesn’t look as bogus as you might expect.
To check a bit.ly link before visiting it, paste the link into your browser’s address bar and add a plus sign (+) at the end, which tells bit.ly to show you the original link without redirecting to it.
Here, the crooks have registered the fake-but-not-too-far-off domain name fb-notify DOT com, and the link you’re given takes you to a personalised scam page that explicitly references your account:
In the screenshot above, the account statistics are correct, or they were at the time we received the email, and the image shown does indeed come from our Instagram page. (Amusingly, and ironically, that means the email itself infringes copyright.)
In other pages linked to by these scammers, the image ripped off by the crooks always seemed to be scraped from the second-to-last post on the victim’s Instagram page. That might have been a coincidence, or it could be a deliberate ploy by the crooks to pick an image recent enough that you’ll remember posting it, but not so recent that the copyright complaint might seem unrealistically quick.
The sting
Anyone who gets this far is almost certainly starting to believe the scam, which would make the next page seem unexceptionable enough, especially given the HTTPS padlock and the sort-of-OK-looking fb-notify domain name:
The website then pretends you made an error typing in your password and tells you to try again, presumably as a simple way for the crooks to discard login attempts where a user clearly just bashed out any old garbage on the keyboard to see what happened next:
Then there’s a believable enough message to tell you that your appeal was submitted successfully:
Finally, the criminals sneakily redirect you to the real Instagram copyright page that we listed above, presumably to add an air of legitimacy that leaves you on a genuine website:
What to do?
- Don’t click “helpful” links in emails. Learn in advance how to handle Instagram copyright complaints, so you know the procedure before you need to follow it. Do the same for the other social networks and content delivery sites you use. Don’t wait until after a complaint arrives to find out the right way to respond. If you already know the right URL to use, you never need to rely on any link in any email, whether that email is real or fake.
- Think before you click. Although the website name in this scam is somewhat believable, it’s clearly not
instagram.comorfacebook.com, which is almost certainly what you would expect. We hope you wouldn’t click through in the first place (see point 1), but if you do visit the site by mistake, don’t be in a hurry to go further. A few seconds to stop and double-check the site details would be time well spent. - Use a password manager and 2FA whenever you can. Password managers help to prevent you putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before. And 2FA (those one-time codes you use together with a password) make things harder for the crooks, because your password alone is no longer enough to give them access to your account.
- Talk to a friend you know face-to-face who’s done it before. If you are active on social media or in the blogosphere, you might as well prepare in case you ever get a copyright infringement notice for real. (We’re assuming the accuation will be false, but the complaint itself will actually exist.) If you know someone who who has already gone through the genuine process once, see if they’ll tell you how it went in real life. This will make it much easier to spot fake complaints in future.
- Watch our video below for additional advice. Early in 2021, we presented a Facebook Live talk looking at the history and evolution of this type of scam. If you have any friends who rely on social media to generate income, and who might be worried about getting cut off from their accounts, show them the video to protect them from tricks like this one.
Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.