Cybercriminals have found a new sophisticated way to target Instagram users through an email phishing scam. According to Paul Ducklin, a cyber security researcher at Sophos, cybercriminals are using fake copyright infringement notices as bait for Instagram users.
Phishing is a trick used by scammers to trick potential victims in revealing sensitive information through fraudulent messages, and dubious login pages. The scammers extract sensitive information such as email, date of birth, location, and phone number through malicious links and gain full access to the victims’ account.
It should be noted that Instagram influencers and creators often have their email ID attached to their profiles, making them more susceptible to getting scam emails highlighting copyright infringement.
How does this scam work?
Hackers sent fake copyright notices through email and asks the victim to “prove innocence” by providing a link to object to the “complaint.” The security firm highlights that Instagram users are receiving a message on their account that reads, “Hello, …We recently received a complaint about a post on your Instagram. Your post has been reported as infringing copyright. Your account will be removed if no objection is made to the copyrighted work. If you think this determination is incorrect, please fill out the objection form from the link below .”
At the bottom of the phishing email, there’s an ‘appeal’ button that leads users to a new page. The ‘appeal’ uses a shortened link, but whether you check the destination of the link in advance or click through anyway,” the resulting website doesn’t look as bogus as you might expect,” Ducklin notes.
The malicious website then asks to input your email address and your Instagram password and pretends that you made an error typing in your password and tells you to try again. “It is presumably as a simple way for the crooks to discard login attempts where a user clearly just bashed out any old garbage on the keyboard to see what happened next,” the researcher noted. Then there’s a message that tells you that your appeal was submitted successfully.
Ultimately, users are tricked into providing their password that compromises their Instagram account completely. “While we hope that you’d spot an email scam of this sort right away, we have to admit that some of the copyright phishes we’ve received in recent weeks are much more believable – and better spelled, and more grammatical – than many of the examples we’ve written about before.”
How to stay safe?
Ducklin in the blog post highlights some tricks that can keep you safe from any such phishing attacks.
#Don’t click “helpful” links in emails: Learn in advance how to handle Instagram copyright complaints, so you know the procedure before you need to follow it. Do the same for the other social networks and content delivery sites you use. Don’t wait until after a complaint arrives to find out the right way to respond. If you already know the right URL to use, you never need to rely on any link in any email, whether that email is real or fake.
#Think before you click: Although the website name in this scam is somewhat believable, it’s clearly not instagram.com or facebook.com, which is almost certainly what you would expect. We hope you wouldn’t click through in the first place (see point 1), but if you do visit the site by mistake, don’t be in a hurry to go further. A few seconds to stop and double-check the site details would be time well spent.
#Use a password manager and 2FA whenever you can: Password managers help to prevent you putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before. And 2FA (those one-time codes you use together with a password) make things harder for the crooks, because your password alone is no longer enough to give them access to your account.
#Talk to a friend you know face-to-face who’s done it before: If you are active on social media or in the blogosphere, you might as well prepare in case you ever get a copyright infringement notice for real. (We’re assuming the accuation will be false, but the complaint itself will actually exist.) If you know someone who who has already gone through the genuine process once, see if they’ll tell you how it went in real life. This will make it much easier to spot fake complaints in future.