Thomas Tornevall The Artist

A bit serious Everything Moral Collapses Social media/Forums

Fake legal notices sent via Gmail impersonating law firms (including Cravath, Swaine & Moore LLP)

by
25 August 2025

On the morning of August 25th, I noticed an email that initially slipped past filters and remained in my inbox – it had already been flagged and moved to the spam folder, but on the webmail server it was only marked as deleted. The message claimed to originate from the U.S. law firm Cravath, Swaine & Moore LLP, supposedly acting on behalf of Universal Music Group in a copyright case. In reality, the sender address was a random Gmail account.

This is the classic red flag: a high‑profile law firm does not send legal notices from free email services. Cravath is indeed a legitimate international law firm, but any official communication would come from their own domain (@cravath.com), not from [email protected].

As a musician, I tend to be extra vigilant with certain types of messages – especially those mentioning copyright or infringement. I frequently deal with licensing requests for works I release myself, so I am familiar with what legitimate claims look like. In fact, I recently received a genuine copyright notice regarding an image I had apparently not used correctly. The settlement amount there was reasonable – around 3000 SEK (or approximately $315) – and nothing like the inflated figures scammers throw around. Most genuine copyright enforcement outfits are relatively straightforward to deal with, with the exception of aggressive lobbyist-driven actors. These lobbying groups often blur the line between genuine rights protection and predatory tactics, making them far harder to trust compared to the professional rights holders and agencies that handle matters fairly.

This is a scam campaign masquerading as a legal takedown notice. Do not click any links, do not log in through their redirects, and do not respond. Mark it as phishing in your email client and delete it. If in doubt, verify directly with the law firm via their official website, never through contact details in the suspicious email.

The content of the email

The email was titled Final Legal Notice Prior to International Litigation – Copyright Violation. It referred to Lewis Capaldi’s track “Someone You Loved”, ISRC GBUM71905951, claiming that 45 seconds of the recording had been used without permission in a Facebook video. It threatened statutory damages of up to $50,000, DMCA takedown requests, and litigation in the U.S. District Court for the Southern District of New York if the content was not removed within 72 hours.

Attached below is a portion of the email header, clearly exposing the fraudulent source:

Return-Path: <[email protected]>
From: "Cravath, Swaine & Moore LLP" <[email protected]>
Received: from mail-yb1-xb4e.google.com (IPv6:2607:f8b0:4864:20::b4e)
Authentication-Results: dkim=pass header.d=gmail.com

No trace of Cravath’s own domain. The DKIM shows Gmail signed the message – meaning it originated directly from Google’s infrastructure, not from any corporate mail system.

Why this is a scam

  • Sender mismatch: Real law firms use their own domains. Gmail/Yahoo/Hotmail are immediate red flags.
  • Copy‑pasted template: The same wording and even the same bogus Facebook link segment (R33FameTQPSeGrrlAK7/1061735...) appear in multiple reports.
  • Overblown legal threats: U.S. copyright law does not use $50,000 as a statutory damages cap; the numbers in the email are fabricated.
  • Phishing link: The provided t.ly short link leads through Cloudflare challenges but does not resolve to any legitimate Facebook content. It is designed to trick users into logging in and handing over credentials. Also, the link to t.ly currently gives a 403 Permission Denied, so it has been removed by the authors of t.ly.

Community reports

This is not an isolated incident. Users on Reddit have been reporting identical emails since spring 2025, always referencing the same Capaldi track, the same timing marker (0:15), and the same fake legal representation. See the active discussion here: Reddit – r/COPYRIGHT

Several recipients confirmed with Cravath directly that these emails are fraudulent. The firm itself has issued acknowledgements that they do not send notices of this nature via Gmail.

Mail server stuff

Running the headers through SpamAssassin triggered hits such as LOTS_OF_MONEY, RCVD_IN_S5HBL, and URI_FIREBASEAPP, all consistent with phishing attempts. The URLs were already blocked by t.co and flagged by browsers as suspicious.

I maintain a Swedish DNSBL/blacklist and will investigate whether the sending hosts can be listed. The complication is that since the distribution leverages Gmail, broad blacklisting could impact legitimate traffic as well – meaning it must be handled with caution and precision.

Discover more from Thomas Tornevall The Artist

Subscribe to get the latest posts sent to your email.

Tornevall

- Stories from Reality - Musician | Bedroom DJ | Tug of War | Photographer | DevOps Thomas blends a passion for music, photography, and technology. With a background in 1990s dance music, his journey evolved from early experiments with FastTracker 2 to becoming a DJ and competitor in tug of war. His creative output includes documenting tug of war competitions across Sweden, while also working as a systems developer focusing on WordPress and e-commerce platforms.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may also like

1
Classics Everything Film & Photo Recorded (Cam/Audio)

Utslitna tangentbord

Tangentbord verkar vara något som slits ut hos mig extra ofta. Det brukar inte vara någon fara med, jag byter dom bara när dom inte går att använda längre. Ett tangentbord, i något lyxigare form, lyckades dock överträffa maxnivån på...

3 February 2013

Visitors

  • 22,446 hits