Copyright infringement scams on Instagram are credential-harvesting campaigns wrapped in enforcement language. The attacker wants you to panic, click an “appeal” link, and log in on a fake page. Once they have your password and session, they can steal the account, run ads, and message your followers.
| Start here | Do this | Why it works |
|---|---|---|
| Verification | Ignore the message and check Instagram directly for official notifications | Real enforcement signals appear in-product, not only in a DM link |
| Link hygiene | Do not log in from links in emails, DMs, comments, or ads | Phishing succeeds by controlling the login page |
| Control plane | Secure the email account tied to Instagram and enable 2FA | Email is the reset hub if anything goes wrong |
| Session cleanup | Review logged-in sessions and connected apps and remove anything unfamiliar | Stolen sessions and app access can persist after a password change |
| Report | Report the scam account or message through platform reporting tools | Consistent reporting reduces the attacker’s reach |
Key idea: enforcement themes are a wrapper. The real test is always the same: is the request coming from an in-app notice you can verify, or from a link in a message?
How the scam usually works
The attacker impersonates “Instagram copyright” or “Meta support” and sends one of these:
- a DM that claims your content violates copyright and your account will be disabled within hours
- an email that looks like an official legal notice with an “appeal” or “verify ownership” link
- a comment on a post telling you to click a link to avoid account removal
The link leads to a lookalike login page. The page steals credentials and often asks for a one-time code. If you provide it, the takeover is immediate.
What a legitimate copyright notice looks like
Real copyright disputes are handled through official reporting and appeal channels. If you want to understand the legitimate process, use Meta’s official Instagram copyright reporting and appeal documentation, not whatever a DM link claims.
- Instagram copyright reporting: Reporting copyright infringements
- Copyright appeal process: Appeal a copyright removal
Fast verification: check inside Instagram, not in the message
When you receive an “urgent” notice, treat it as untrusted input until you can verify it inside the app.
- Open Instagram directly and review in-app notifications and account status indicators.
- Review the list of recent emails Instagram says it sent you. This helps spot fake “from Instagram” emails.
- If the message arrived as a DM, remember that scammers can name accounts anything. A handle that looks official is not proof.
Official reference: Review recent emails sent from Instagram.
Common mistake: replying to the scammer and trying to argue. Engagement confirms the account is active and often increases targeting.
If you clicked the link or entered your password
Treat it as a takeover in progress and work outward from the control plane.
- Secure email first. Change the email password, enable 2FA, remove forwarding rules, and sign out unknown sessions.
- Change the Instagram password from a clean device and review account email and phone details.
- Review sessions and connected apps and remove anything unfamiliar (TODO(verify) exact screens in Instagram Accounts Center).
- Enable 2FA on Instagram and store backup codes where you can find them during an incident.
- Check device integrity if prompts persist after resets: how to detect spyware.
If you are locked out
Use official recovery flows and keep communications on official domains. If you need a step-by-step recovery playbook, use how to recover a hacked Instagram account, then harden the account with how to secure your Instagram account.
Prevent repeat attempts
Copyright scams keep working because they create fear of losing access. Remove the attacker’s advantage.
- Use unique passwords and keep your email control plane locked down.
- Keep 2FA enabled on Instagram and on the email account that resets it.
- Adopt one rule: never log in from links in messages. Navigate to Instagram directly.
- Improve pattern recognition: phishing and how to identify scam emails.
These scams become less dangerous when you treat enforcement-themed messages as untrusted until confirmed in-app, and when the account is protected by strong authentication and a secured inbox. The stable endpoint is simple: verification happens inside the product, recovery channels are under your control, and no click can become a login. Once that is true, the attacker’s best lever is gone.