Nonprofits should be aware of a disturbing trend: phishing emails disguised as legitimate Digital Millennium Copyright Act (DMCA) takedown notices. Hackers use this trick to get your attention by accusing you of breaking the law. The purpose of the scam is to trick you into opening or downloading malicious content that could significantly disrupt computer systems and operations. Because DMCA takedown notices are so important and ignoring them can result in potentially significant financial damage, these emails can force an unsuspecting recipient to choose between potentially ignoring a valid notice and facing liability, or clicking the embedded link and fall prey to a phishing scheme.
What is the DMCA Safe Harbor?
As a backdrop, nonprofit organizations are liable for copyright infringement for infringing material or user-generated content hosted on their websites, social media accounts, membership forums, and other types digital platforms, whether or not they know the infringing material is there. DMCA Takedown Notices stem from Section 512 of the Federal Copyright Act as a mechanism to provide a “safe harbor” from such infringement liability to the following nonprofit organizations all the necessary statutory steps and put in place a system for rights holders to have their works unauthorized. effectively removed. Nonprofits that do not respond appropriately to a valid DMCA takedown notice lose their copyright infringement liability for the infringing material they host and may face significant monetary damages. , even if the violation is unintentional. More information on DMCA formalities and the steps required to preserve your safe harbor can be found in our previous articles here, hereand here. In short, ignoring a legitimate DMCA takedown notice is dangerous, as it can cost your organization significant sums in damages and legal fees for copyright infringement, and distract staff from programs. mission-related.
What does a legitimate takedown notice look like?
Beneficiaries of legitimate DMCA Takedown Notices will (a) protect themselves from liability for copyright infringement if they follow all required steps, or (b) find themselves exposed to liability for copyright infringement and damages -potentially high interest if they ignore one.
Under copyright law, a legitimate notice must contain the following information:
- A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right claimed to be infringed.
- Identification of the copyrighted work that is allegedly infringed or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site .
- Identification of the material claimed to be infringing or to be the subject of infringing activity and which is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.
- Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.
- A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
- A statement that the information in the notification is accurate and, under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right allegedly infringed.
The new phishing emails are intentionally disguised as legitimate DMCA takedown notices. This could force an unsuspecting recipient to face the dilemma of either potentially ignoring a valid review and facing potential liability, or clicking the embedded link and falling prey to a phishing scam.
Identifying phishing scams
Unfortunately, fake DMCA takedown notices contain much of the required information above and look very legitimate. The unsuspecting recipient then clicks on the link in the “notification” and sees that it is more of a phishing scam. The main issue is point 3 above: “information reasonably sufficient to permit the service provider to locate the material”. Typically, the author of a legitimate DMCA takedown notice includes the URL link to the website where the infringing material is located, so the recipient of the notice knows exactly what to remove. But scammers often include a URL or a link to a file that they ask you to download to view the infringing material. Clicking on this link would trigger a chain of unwanted events on the recipient’s side.
What should you do?
So what should you do if you receive a questionable or unexpected DMCA takedown notice? Are you clicking the link to make sure you’re not ignoring a legitimate notice, because ignoring one would expose you to liability for copyright infringement? Or do you delete the email and hope it was just a phishing scam? This is a very difficult position for a non-profit organization. If you receive a DMCA takedown notice, consider the following.
- First, if it smells phishy, it probably is. Seeking a second opinion is recommended. Before you respond or click on a link, you ideally have an IT department that can safely quarantine and open the suspected phishing link and investigate it. Keep in mind that you need to respond quickly to a legitimate DMCA takedown notice, so your IT department should prioritize its evaluation.
- Second, you should contact legal counsel if you want advice and guidance on the legitimacy of the notice and how to respond to it.
- Third, you may consider reporting any confirmed phishing emails to the Federal Trade Commission and/or Anti-Phishing Task Force: https://www.consumer.ftc.gov/articles/how-recognize-and- avoid-phishing-scams #report.