Cybercriminals have found a sophisticated new way to target Instagram users through an email phishing scam. Cybercriminals are using fake copyright infringement notices as bait for Instagram users, according to Paul Ducklin, cybersecurity researcher at Sophos.
Phishing is a trick used by scammers to trick potential victims into revealing sensitive information through scam messages and dubious login pages. Crooks extract sensitive information such as email, date of birth, location and phone number through malicious links and get full access to victim’s account.
It should be noted that Instagram influencers and creators often have their email ID attached to their profiles, which makes them more susceptible to receiving scam emails highlighting copyright infringement.
How does this scam work?
The hackers sent fake copyright notices via email and ask the victim to ‘prove their innocence’ by providing a link to oppose the ‘complaint’. The security company points out that Instagram users receive a message on their account that reads: “Hello, … We recently received a complaint about a post on your Instagram. Your post has been flagged as infringing Your account will be deleted if no objection is made to the copyrighted work. If you believe this decision is incorrect, please complete the objection form from the link below .
At the bottom of the phishing email, there is an “Appeal” button that directs users to a new page. The “call” uses a shortened link, but whether you check the link destination beforehand or click anyway, “the resulting website doesn’t look as fake as you might think”, notes Ducklin.
The malicious website then asks you to enter your Instagram email address and password and claims that you made a mistake while typing your password and asks you to try again. “This is presumably an easy way for scammers to reject login attempts when a user has clearly just smashed any old junk on the keyboard to see what happened next,” said noted the researcher. Then, a message informs you that your call has been submitted successfully.
In the end, users are tricked into providing their password which completely compromises their Instagram account. “While we hope you spot an email scam like this immediately, we have to admit that some of the copyright phishing we’ve received in recent weeks are much more believable – and better spelled and grammatically – than many of the examples we talked about before.
How to stay safe?
Ducklin in the blog post highlights some tricks that can protect you from such phishing attacks.
#Don’t click on “helpful” links in emails: Learn how to handle Instagram copyright complaints ahead of time, so you know the procedure before you have to go through it. Do the same for other social networks and content delivery sites you use. Don’t wait for a complaint to arrive to find the right way to respond to it. If you already know the correct URL to use, you never need to rely on a link in an email, whether that email is real or fake.
#Think before you click: While the name of the website in this scam is somewhat believable, it’s clearly not instagram.com or facebook.com, which is almost certainly what you’d expect. We hope you didn’t click in the first place (see point 1), but if you visit the site by mistake, don’t be in a hurry to proceed further. A few seconds to stop and recheck site details would be time well spent.
#Use a password manager and 2FA whenever you can: Password managers prevent you from entering the correct password on the wrong site because they cannot suggest a password for a site they have never seen before. And 2FA (those one-time codes you use with a password) make it harder for scammers because your password alone is no longer enough to give them access to your account.
#Talk to a friend you know face to face who has done this before: If you’re active on social media or in the blogosphere, you might as well be prepared in case you receive a copyright infringement notice for real. (We’re assuming the accusation will be false, but the complaint itself will actually exist.) If you know someone who’s gone through the genuine process once, see if they’ll tell you how it went in the real life. This will make it much easier to spot false complaints in the future.