Focused on compromising social media credentials, scammers trick Instagram users into giving up credentials and other personally identifiable information with convincing phishing emails.
A good scam is made up of a mixture of powerful emotional triggers to create urgency, familiar branding, and a seemingly recognizable user experience. This scam has them all. Users are sent an email purporting to be from Instagram informing them of a copyright infringement they need to address. Those that click the link are taken to a realistic-looking webpage that informs them they have the option to appeal the infringement or be blocked after 48 hours.
With social media users not wanting to be cut off from their precious platforms, appeal is the only real option. Next users are asked for their account details and birthdate (to facilitate compromise of their actual Instagram account).
Note that the web address even appears to provide some degree of credibility, using both “Instagram” and “copyrightinfringement” in the URL.
The challenge with these kinds of scams is that it’s completely plausible that someone would violate a social media platform’s terms of service. Users need to elevate their sense of security around unsolicited emails that are vague in nature (e.g., this scam never provides the specifics around what exactly was posted that infringed on someone’s copyright) despite the impersonated use of a well-known brand.
Users can be easily educated on such tactics – as well as why and how to incorporate security-mindedness into their daily work activity – using Security Awareness Training. Today, the attack is about copyright infringement; tomorrow, it will be about some other issue that demands your users’ attention. Putting them through continual Security Awareness Training will help users to know how to identify suspicious emails, webpages, links, etc., allowing them to safely ignore or bypass the threat.