It all started innocently enough. I received a message in my YouTube account inbox from someone on YouTube who referenced a video that I had uploaded of geese walking down the road in front of our house.
The individual told me that they represented a company in the UK that had just landed a contract to with the Discovery Channel to produce a series about animals breakouts and that they wanted to use this clip as part of the show. They were willing to pay $50 for a non-exclusive use of the video but despite being unable to guarantee the video clip would be used they would still pay the $50. The message went on to say that if they did not hear from us they would assume we had no problem with them using the clip, payment or not, and that they would move forward with their production.
I responded back curious about the offer but in the back of my mind I also wondered if this might be a phishing attempt. Prior to my response I did do some research on the info the individual had provided in their email and found a couple red flags:
- I went looking for a website based on the company name the individual used in their initial email. When I tried to access the site the first thing that came up was a warning that there was a problem with the site’s security certificate. The problem was that it was issued for an entirely different domain than the one I was visiting for the production company. On top of that there was no website behind that warning – it was an admin page to set the site up on Parallels, which is desktop virtualization, hosting and cloud services company. It was also trying to use port 19638 in the address for some reason.
- I went to the YouTube page for the user who sent me the email to see what types of videos the company already had collected together or posted. It was blank. No videos, no user data or avatar. There was an indication that the last time it was used or accessed was October 2011 but that was it.
So with these red flags raised I decided to write back and see what info they wanted from me to move forward. The response came back in a very short period of time.
They only had a couple of pieces of info they needed:
- A PayPal address to send the payment
- A signed release form
- A regular email address so they could send the form
I responded back with a generic email address and said we could sort out the PayPal address once the release was signed, etc. Their reply came back very quickly to say they had sent the form and then asked if I had a Hotmail address or a similar one.
I wrote back and asked why that was needed the reply was It’s just so I can send over the paperwork. That was slightly confusing as the previous reply had indicated they sent the form to the generic email address I provided. I considered this another red flag to get an additional email address for some reason. They asked me to sign the form and send it back as soon as I could.
Now this next step I do not recommend you do at home – I did this in a very controlled environment – but I opened up the Word document they sent as a release form to see what info they were requesting. Here is what they asked me for:
- Full name
- Address
- Phone Number
- Fax Number
- Signature
Now anyone of these pieces of info on their own are fairly innocuous however all put together might allow someone to use them to access accounts through some type of social engineering including scanning the signature.
So at this point I was convinced, based on all the red flags that had been raised, that this was not a straight forward attempt to legally use the clip.
I wrote them back one last time and expressed my concerns and stated that I would not be filling out the form. I informed them I had changed the usage rights on the clip to Creative Commons and that if they wanted to use it under that all they had to do was provide proper attribution – no $50 payment required.
Funny – it has been two days now and not one reply to my final email – no thank you for your consideration, permission, etc. After having a flurry of replies back and forth over the course of one day I think if this had been a legitimate effort to license the clip then there would have been a quick reply to say thanks, etc.
Now this may not have been any attempt to phish information from me but with all these red flags, genuine or not, you must opt to not divulge a lot of personal information in a situation like this.
Better safe than sorry is a great motto when it comes to these situations.
So, have you ever seen anything like this before? Let’s talk about it in the comments.