Clients should be aware of a troubling trend: phishing emails disguised as legitimate DMCA Takedown Notices. Recipients of legitimate DMCA Takedown Notices will either (a) shield themselves from copyright infringement liability if they follow all of the required steps, or (b) find themselves exposed to copyright infringement liability and potentially steep money damages if they ignore one. The new phishing emails disguised as legitimate DMCA Take Down Notices could force an unsuspecting recipient to choose between potentially ignoring a valid notice and facing potential liability, or clicking the embedded link and falling prey to a phishing scam.
As background, you are generally strictly liable for copyright infringement for infringing material hosted on your website, platform, or server, whether or not you know the material is there. DMCA Takedown Notices arose from section 512 of the federal Copyright Act as a mechanism to (a) provide a "safe harbor" from liability, to those entities that follow all the necessary statutory steps, when third parties upload or post unauthorized copyrighted material to their platform, website, or server, and (b) put a system in place for rights holders to have their unauthorized works removed efficiently. Entities that host infringing material on their platform, website, or server (even unwittingly) but fail to respond appropriately to a valid Take Down Notice lose their safe harbor from copyright infringement liability for the infringing material they are hosting and can face significant monetary damages. More information on this topic and the requisite steps to preserve your safe harbor can be found in our previous articles on this topic.
In short, it is dangerous to ignore a legitimate DMCA Takedown Notice, because it can cost you significant amounts of money in terms of damages for copyright infringement.
Under the Copyright Act, a legitimate notice must contain the below information:
- A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
- Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.
- Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.
- Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.
- A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
- A statement that the information in the notification is accurate and, under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
Unfortunately, the phishing emails/fake DMCA Take Down Notices contain largely the above requisite information and look very legitimate. The unsuspecting recipient then clicks on the link within the "notice" and finds that it is instead a phishing scam. The primary problem is item 3 above: "information reasonably sufficient to permit the service provider to locate the material." Typically, the author of a legitimate DMCA Takedown Notice includes the URL link to the website where the infringing material can be found, so that the recipient of the notice knows exactly what to remove. But the scammers instead often include a URL or a link to a file that they ask you to download to see the infringing material. Clicking on this link would set off an undesired chain of events on the recipient's end.
So what do you do if you receive a questionable DMCA Takedown Notice? Do you click on the link to make sure you do not ignore a legitimate notice, because ignoring one would expose you to copyright infringement liability? Or do you delete the email and hope it was just a phishing scam? This is a very difficult position to be placed in. First, you ideally have an IT department that can quarantine and safely open the (potentially phishing) link and examine it. Bear in mind that you must respond to a legitimate DMCA Takedown Notice expeditiously, so your IT department should make this a priority. Second, you can contact legal counsel if you need assistance. Third, you can consider reporting any confirmed phishing emails as described here.