Nonprofits should be aware of a troubling trend: phishing emails disguised as legitimate Digital Millennium Copyright Act (DMCA) Takedown Notices. Hackers use this ruse to grab your attention by accusing you of violating the law. The goal of the scam is to trick you into opening or downloading malicious content that can significantly disrupt IT systems and operations. Because DMCA Takedown Notices are so important and ignoring them can lead to potentially steep money damages, these emails can force an unsuspecting recipient to choose between potentially ignoring a valid notice and facing liability, or clicking the embedded link and falling prey to a phishing scheme.

What Is the DMCA Safe Harbor?

As background, nonprofits are liable for copyright infringement for infringing material or user-generated content hosted on their websites, social media accounts, membership forums, and other kinds of digital platforms, whether or not they know the infringing material is there. DMCA Takedown Notices arose from section 512 of the federal Copyright Act as a mechanism to provide a “safe harbor” from this infringement liability to those nonprofits that follow all the necessary statutory steps and put a system in place for rights holders to have their unauthorized works removed efficiently. Nonprofits that fail to respond appropriately to a valid DMCA Takedown Notice lose their safe harbor from copyright infringement liability for the infringing material they are hosting and can face significant monetary damages, even if the infringement is unintentional. More information on the DMCA formalities and the requisite steps to preserve your safe harbor can be found in our previous articles here, here, and here. In short, it is dangerous to ignore a legitimate DMCA Takedown Notice, because it can cost your organization significant amounts of money in terms of damages and legal fees for copyright infringement and diverting staff attention away from mission-related programs.

What Does a Legitimate Takedown Notice Look Like?

Recipients of legitimate DMCA Takedown Notices will either (a) shield themselves from copyright infringement liability if they follow all of the required steps, or (b) find themselves exposed to copyright infringement liability and potentially steep money damages if they ignore one.

Under the Copyright Act, a legitimate notice must contain the following information:

1. A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
2. Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.
3. Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.
4. Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.
5. A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
6. A statement that the information in the notification is accurate and, under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

The new phishing emails are intentionally disguised as legitimate DMCA Takedown Notices. This could force an unsuspecting recipient to face the dilemma of choosing between potentially ignoring a valid notice and facing potential liability, or clicking the embedded link and falling prey to a phishing scam.

Identifying Phishing Scams

Unfortunately, the fake DMCA Takedown Notices contain largely the above requisite information and look very legitimate. The unsuspecting recipient then clicks on the link within the “notice” and finds that it is instead a phishing scam. The primary problem is item 3 above: “information reasonably sufficient to permit the service provider to locate the material.” Typically, the author of a legitimate DMCA Takedown Notice includes the URL link to the website where the infringing material can be found, so that the recipient of the notice knows exactly what to remove. But the scammers instead often include a URL or a link to a file that they ask you to download to see the infringing material. Clicking on this link would set off an undesired chain of events on the recipient’s end.

What Should You Do?

So what should you do if you receive a questionable or unexpected DMCA Takedown Notice? Do you click on the link to make sure you do not ignore a legitimate notice, because ignoring one would expose you to copyright infringement liability? Or do you delete the email and hope it was just a phishing scam? This is a very difficult position for a nonprofit to be placed in. If you receive a DMCA Takedown Notice, consider the following.

1. First, if it smells phishy, it probably is. Seeking a second opinion is recommended. Before responding or clicking any links, you ideally have an IT department that can quarantine and safely open the suspected phishing link and examine it. Bear in mind that you must respond to a legitimate DMCA Takedown Notice expeditiously, so your IT department should prioritize its evaluation.
2. Second, you should contact legal counsel if you want advice and counsel about the legitimacy of the notice and how to respond.
3. Third, you can consider reporting any confirmed phishing emails to the Federal Trade Commission and/or the Anti-Phishing Working Group: https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams#report.