Scammers are sending phony accusations of copyright infringement to Instagram users in a new phishing attack, Paul Ducklin writes at Naked Security. The scammers are taking advantage of the fact that many Instagram pages with large followings are concerned about being banned for posting copyrighted content.
The attackers are sending emails with a link to appeal the bogus accusation. If a user clicks the link, they’ll be taken to a spoofed Facebook page that has a picture of a real post from the user’s Instagram page. The page then asks the user to enter their password to login to their Instagram account, which will be sent to the attackers. After this, the user will be redirected to the real Instagram copyright page, which helps avoid any suspicion.
Ducklin offers the following advice to avoid falling for these scams:
“Don’t click ‘helpful’ links in emails. Learn in advance how to handle Instagram copyright complaints, so you know the procedure before you need to follow it. Do the same for the other social networks and content delivery sites you use. Don’t wait until after a complaint arrives to find out the right way to respond. If you already know the right URL to use, you never need to rely on any link in any email, whether that email is real or fake.
“Think before you click. Although the website name in this scam is somewhat believable, it’s clearly not instagram.com or facebook.com, which is almost certainly what you would expect. We hope you wouldn’t click through in the first place (see point 1), but if you do visit the site by mistake, don’t be in a hurry to go further. A few seconds to stop and double-check the site details would be time well spent.
“Use a password manager and 2FA whenever you can. Password managers help to prevent you putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before. And 2FA (those one-time codes you use together with a password) make things harder for the crooks, because your password alone is no longer enough to give them access to your account.
“Talk to a friend you know face-to-face who’s done it before. If you are active on social media or in the blogosphere, you might as well prepare in case you ever get a copyright infringement notice for real. (We’re assuming the accusation will be false, but the complaint itself will actually exist.) If you know someone who has already gone through the genuine process once, see if they’ll tell you how it went in real life. This will make it much easier to spot fake complaints in future.”
New-school security awareness training can help your employees follow security best practices so they can avoid falling for social engineering attacks.
Naked Security has the story.