In the vast landscape of phishing scams, there’s a new wave targeting Instagram users that’s both clever and potentially damaging. In this blog post, we’ll delve into the details of the latest Instagram copyright infringement scam, shedding light on the tactics scammers use to trick users into compromising their accounts.
The Scam Unveiled
Recently reported by Trustwave, scammers are posing as Meta, the parent company of Instagram, and sending alarming emails claiming users’ accounts are infringing copyrights. The urgency is heightened with a threat of account deletion within 12 hours if users fail to appeal the alleged copyright violation.
Identifying Red Flags
To the discerning eye, there are clear signs that this email is a scam. The impersonation is almost perfect, with the Meta logo accurately replicated. However, subtle discrepancies, such as generic salutations like “Hi! Dear [Your Name]” and misleading directions like “Click ‘Go to Form'” instead of the actual button text “Go to appeal form,” may tip off savvy users.
The Deceptive Appeal Process
Those who fall for the scam are directed to a fake Meta “Violation Status Central Portal” to initiate their appeal. Here, the scammers aim to acquire sensitive information. After obtaining the Instagram username and password, the next request is for the user’s backup code if two-factor authentication (2FA) is enabled.
Understanding Two-Factor Authentication and Backup Codes
Two-factor authentication is a crucial security measure that sends a code to a trusted device when logging into an account. In instances where access to the trusted device is unavailable, services like Instagram provide backup codes—single-use codes functioning similarly to 2FA.
The Scammers’ Endgame
By tricking users into providing their backup codes, scammers gain the means to access the targeted Instagram accounts. Once inside, they can reset passwords and codes, effectively locking users out of their own accounts.
Protecting Yourself from Phishing Scams
As phishing scams persist, it’s essential to adopt vigilant practices
Check Sender Domains
Always scrutinize the sender’s domain. Scammers often replace their name with the impersonated company (Meta), but checking the full domain can reveal the deception.
Hover over links to inspect their URLs before clicking. Legitimate links should lead to familiar domains related to Meta or Instagram, not a jumble of random characters.
Spot Spelling and Formatting Issues
Billion-dollar companies maintain professionalism in their communications. Poor grammar, spelling mistakes, or amateur formatting are telltale signs of a phishing attempt.
Exercise Caution with Clicks
If you mistakenly click a link, refrain from downloading anything or providing information. Close the window immediately to mitigate potential risks.
When in doubt, contact the supposed sender directly. If Instagram prompts a login, access the site independently. Always confirm requests, especially those involving sensitive information like passwords and backup codes.