Don’t Fall for This Instagram Copyright Scam
Look in your email spam folder and you’ll find a sea of obvious, pathetic, and sometimes hilarious phishing attempts. However, sometimes scammers get smarter and come up with ways to scare you into sharing your most important information.
Latest Instagram Phishing Scam Asks for Your Backup Codes
In this latest case, as Trustwave reports , scammers are impersonating Meta, warning users that their accounts are “copyright infringing.” To make matters worse, they will emphasize that if you do not appeal this decision, Meta will delete your account within 12 hours. It would be quite embarrassing if you saw this email the next day with your Instagram account completely intact.
To the trained eye, this initial message may be an obvious scam. Even though they get the Meta logo right, you might not fall for the intro that says “Hi! Dear [Your Name]” or the instruction “Click “Go to Form” when in fact the button says “Go to Appeal.” form.” Meta will also never delete an account 12 hours after sending a warning email unless you first “appeal” the decision. Digging deeper, the email address is not from Meta: it’s from “contact-helpchannelcopyrights[.] com” and the appeal form URL leads to a Google notice link rather than a meta URL. Suspicious…
However, many will not see these warning signs and may hit the appeal button as soon as possible to avoid losing their Instagram account. If you do this, you will be taken to a fake meta “Central Violation Status Portal” where you can file an “appeal.” Once you go to another site to start the process, the site will ask you for your Instagram username and password (of course). But what follows is what phishers are really after: They will ask if your account has two-factor authentication. If this is the case (as it should be for maximum security), you will be asked to provide one of the backup codes for “protection”.
Let’s take a step back. Two-factor authentication (or 2FA) sends a code to a trusted device whenever you try to log into your account. It’s designed to protect against attackers who know your username and password, so you should never share your code with anyone. However, if you don’t have access to a trusted device, some services, such as Instagram, use backup codes . These are preset codes that you can use once and act like 2FA. This way, even if you don’t have access to the text message with the 2FA code, you can use a backup code for authentication.
The scammers want you to provide one of the backup codes after your username and password so they can use all of that to log into your account on their end. Once they do this, they will be able to reset both the password and the codes, locking you out of your account. Again, you should never share your 2FA or backup codes with anyone . Only use them when you are directly trying to log into your account and are prompted to do so.
How to protect yourself from phishing attacks
Fraudsters aren’t going to stop scamming you, but you can make it harder for them. At this point, we should all stop checking our email. But if necessary, follow these general tips:
-
Always check the sender’s domain. Often, scammers will replace their name with the name of the company they are impersonating (in this case, Meta), but if you click on the name in your email app, you will see the full domain. Most likely it’s a fake.
-
Be extremely careful with links in messages. Before you click, hover your mouse over the link and read the URL preview that appears. If the link is official, it should take you to a familiar domain (something Meta or Instagram related). If it’s nonsense or a company name that has nothing to do with the email, that’s a problem.
-
Be aware of spelling, grammar and formatting issues. These billion-dollar companies don’t send emails with errors: if the copy is poorly written or the formatting seems amateurish, that’s because it is. This says that “ graphic design is my passion .”
-
If you click on a link and regret it, just close the window. Do not download anything or disclose any information. Fake sites like to ask you to “log in” while recording your username, password, and other valuable information such as 2FA codes.
-
If in doubt, contact the sender directly. If Instagram wants you to sign in, sign in yourself from the Instagram website. If your boss wants you to transfer money, call him directly. (Although I promise you, they don’t want you to do that.)