Several clients have contacted us in the last few days, asking us what if anything they should do about an email they had received accusing them of using copyright-protected images on their websites without permission. Our research showed that they’d received a new and particularly sneaky “phishing scam.” Fortunately, they contacted us before allowing the attackers in their digital doors.
This scam tries to accomplish the usual goal of phishing and other similar online tricks — luring people to go to a page or to download a file that typically infect their systems with malware or viruses. But while it uses some common techniques, it tries to hide its intentions in an unusual and somewhat more plausible way.
Remember: Do not click on suspicious links or give information to any page with an identity you are not 100 percent sure about. If you already did, please see information below about what to do.
Below is a screenshot sent by a client reporting the scam to us. It used the URL of the recipient, a real client of ours, which we have deleted to protect the innocent.
This scam uses contact forms on websites. The ones we are aware of all say the ostensible sender was a variation of the name Melane, including Mel, Melania, Melanie, Melissa and many other less common names. They also use fake phone numbers and email addresses.
They pose as someone who produces images — photos or illustrations — that could be subject to copyright protection. They all threaten legal action or complaints with a seriousness that might spur a site owner to action — in this case clicking on the link to see what images this person might be talking about. Threats of legal action play upon fears that someone could cost you a lot of money with a lawsuit even if its allegations are totally false. Such allegations are scary, even if they don’t cost you money or cause legal complications, because they threaten your most valuable assets, the hard-won reputations of you or your business.
Copyright infringement is a serious accusation, of course. Copyrighting a work, be it text, a photograph or an illustration, is recognized as a legally enforceable way to ensure that creators get credit for — and are paid for — their work, their intellectual property. Of course, taking a photo or other digital creation without authorization is so much easier when they are online. (A new way of protecting unique digital work, Non-Fungible Tokens, or NFTs, has been in the news recently because it uses the ledger technology, known as the blockchain, behind Bitcoin to help digital artworks sell for millions of dollars. Almost all regular digital works are not so well protected.)
Rough & Ready Media, and most other professional website design companies, are scrupulous about using images only with permission, often by buying them from so-called stock image suppliers. We know how important digital creations are and how vital your company’s reputation is.
But this phishing scam also includes signs warning you not to bite, indications that have been common in other similar attackes. While a legitimate complaint might be made by someone whose first language is something other than English, these “red flags” include awkward phrasing such as:
“Licensed photographer” — What the heck is that?
“The evidence of my ownership.” — You mean proof?
“My copyright has been severely infringed.” — Infringement isn’t a matter of degree.
“I won’t give you prior notice again.” — Warn you again?
This latest attack does not, however, include the misspellings that were hallmarks of earlier, less subtle phishing emails. It seems they finally began using spell-check.
What damage is possible? How serious can this be?
Such scams can steal your information, install ransomware that won’t let you access your files until you pay the scammers and just plain destroy your files, record all your keystrokes and do a variety of other damage. We don’t yet know what the authors of this particular attack are trying to do, but it’s a good bet it isn’t good for you.
If you clicked before you thought
Most expert advice about what to do if you think you have responded to a phishing attack says to immediately disconnect your device from the internet and any local network — unplugging a wired connection or pulling up the Wi-Fi controls and doing it there. This should limit the spread of any malignant code and limit the damage it can do.
The common advice is to then scan your device with virus and malware detection software and to back up your files (if they are not automatically backed up). If you are reading this and thinking, “Maybe I should have my files automatically backed up” or, “Maybe I should buy some malware and virus protection software,” the answer to both questions is “Definitely, yes!”
If you have an IT department or a contracted technical support service, inform it.
Also report the incident to the authorities, including the FTC.
As always, if you have related issues or questions, contact us. No phishing scammers, please!