Photo Phishing Scam: How To Keep Your Pond Safe From Scammers
by Samuel Klusmeyer - July 16, 2021
A classic phishing email scam is making its way into email inboxes again. The scam starts with a seemingly legitimate email from someone posing as a professional photographer. The "photographer" will state that their photos were being illegally used and that you are infringing on their copyright.
The email may appear valid, but the sender's only intention is to install malware on your computer. Normally, scammers will try to get you to click on a link or downloadable file. That download will install malware, spyware, and a host of other malicious content.
So, What Does A Phishing Email Scam Look Like?
We've provided an example for you below.
NameSally B. LuffsSubjectCOPYRIGHT INFRINGEMENT - yoursite.com is in violationPhone1 (800) 123-SCAMSemail@example.comMessageHello!
My name is Sally and I'm a pro photographer.
I have been made aware that your site is hosting pictures I photographed without credit or compensation. I need you to know that this is infringing on my copyright-protected I.P. and that you are violating my rights as defined in section 101 of U.S. code 17.
Please click the link below to view the copyrighted picture you're using at [insert recipients site here].
If you do not confirm that you've viewed the copyright and have removed the image or provided proof of purchase within 30 days, I will assume your actions are malicious and will immediately begin to seek the maximum amount of compensation as set in section 504 of the Digital Millennium Copyright Act of 1998 ($1,000,000 or 10 years of imprisonment).
This letter is an official, legal notice, and it will be treated as such in a court of law.
Sally B. Luffs
These scams can LOOK real, but they all follow the same general formula.
That formula is as follows:
- An emotional callout (i.e., I have been made aware that your site is hosting pictures that I took without credit or compensation)
- A link or a downloadable file (usually this will be presented as information you absolutely NEED to read before responding)
- An authority building claim (i.e., section 504 of the Digital Millennium Copyright Act of 1998)
- A statement intended to scare you (i.e., $1,000,000 or 10 years of imprisonment)
- A closing declaration/threat (i.e., This letter is an official, legal notice, and it will be treated as such in a court of law)
Why Am I Receiving Phishing Emails?
Scams of this nature are at an all-time high following the transition to working from home over the last 18 months.
Personal computers lack spyware protection that an office desktop may have, and your I.T. professional or tech security officer won't be close. Scammers have recognized a golden opportunity to take advantage of unsuspecting workers.
This is as true for business owners as it is for employees.
Even if you feel secure, your email may have been leaked by another company, or it's not as protected as you think. We will discuss further down on how to protect yourself from these fraudulent swindlers.
How Do You Tell If An Email Is A Scam?
Usually, you can follow a checklist to determine if what you've received is a scam in little to no time. We recommend checking for the following things to determine if what you're looking at is dangerous when you receive an unexpected email...
Check For Simple Things Like Grammar and Spelling Mistakes
If the email looks like a bot wrote it, delete it, flag it, or move on.
Another tell-tale sign is text that feels too general. If the email seems generic and it doesn't reference a specific article, your webpage, or your company/name, it wasn't meant for you specifically. Phishing emails get sent to anywhere between thousands and millions of people in mass mailing lists.
Question the Senders Appeals to Authority
Check the sender's sources. You may find out that they're misquoting a law (or making one up entirely).
For example, you'll notice that our sample phishing email didn't link out to anything. A more trustworthy legal communication would have linked directly to the sources they referenced. Look up section 504 and US article 17.
In our example, Sally B. Luffs got their information wrong. $1,000,000 isn't necessarily the right amount. $1,000,000 is simply the first result that pops up in section 504 after a quick ctrl+f of the dollar sign. We picked that number when we were writing up the example because it was large and scary for no other reason.
Scam artists love to make appeals to authority that aren't true.
Ignore Any Timeline an Email Gives You
In our example, the sender gave the recipient 30 days to respond or to take down the offending picture.
A timeline can make you panic and feel trapped. That's exactly how a scammer wants you to feel. You're more likely you are to make bad decisions when you feel rushed.
Is The Email Ultra Focused On You Clicking or Downloading?
Think About What the Scammer Wants. They want you to open the link they've given you.
Don't play their game.
In the example, we gave, Luffs doesn't allow you access to photos they're threatening to sue over UNLESS you click the link they've provided.
That should be an immediate red flag. Why would clicking on a link matter? A genuine legal communication would provide various ways to reach the copyright holder.
If you're still worried, upload the pictures you use your site to Google's search bar to uncover any accidental copyright violations. If you have accidentally stolen content, replace it and flag the suspicious email so Google knows it's spam.
Watch Out for Phishy Keywords
Words like "malicious" or "intentionally stole" are red flags. If a "legally binding" email assumes you're guilty, then it's likely a scam (we're using legally binding in the loosest way here).
Scammers will do anything they can to make you feel like you're isolated, in the wrong, or like you owe them something. Remember, you are not beholden to a random person emailing you at 3 A.M.
Look At the Email Address
Usually, a scam email produced by a bot will use a generic email (think "firstname.lastname@example.org").
An official person reaching out to you with a copyright strike would use an official email. If this mysterious photographer is threatening litigation, why wouldn't they use their business email?
Look At When the Email Was Sent
Any small detail can point to a scam email in your inbox.
Working people probably won't send emails at 3 A.M. A bot or a scammer might.
If an email threatening your lively hood appears in your inbox like a ghost in the night, view it with a healthy dose of skepticism.
If There's a Link, Don't Open It
Look at the link title or hover over it to see where it would send you (hover your cursor over the link and look to the bottom of your browser window).
IF someone is claiming that you are using their picture, the link they send should be linking to your site since they are trying to give you "proof" of your theft. If the link leads somewhere else, it is a good indicator that the sender has ill intentions for your computer and data.
Don't Get Hooked
When you receive an odd-looking email, check with others in your office before clicking any links or downloading any files.
Scammers can hide malicious spyware in the most innocent-looking places. In that same vein, we also recommend you scan any items you download with anti-virus or anti-malware software before opening or installing.
You can also use the survival-focused S.T.O.P. acronym to allow time to form a solution.
- Stop: calm down (take three deep breaths)
- Think: work out what matters in your current situation (in this case, not getting malware is your goal)
- Observe: look for anything suspicious in the email (see the list we made above)
- Plan: Ask around and figure out a course of action (this can be as simple as deleting the email)
Remember, the best protection you have is always research, critical thinking, and the experience of your office security manager and co-workers.
Let yourself off the hook. Take an extra second to look at suspicious emails.