From cybercriminal evergreens like phishing to the verification badge scam we look at the most common tactics fraudsters use to trick their victims.
Instagram is one of the most popular social media platforms. Indeed, with over one billion monthly active users it is among the top four most popular social media networks in the world. That figure, representing potential targets, is bound to attract cybercriminals like bees to honey.
In this article, we look at an overview of the most common scams that you will probably encounter while you’re perusing your feed and connecting with other users through direct messages.
If we were to use a relatively small hyperbole to describe phishing scams, we could say that they are as old as the internet itself, and it’s a type of scam cybercriminals like to return to and reuse time and time again. Simply put, the ultimate goal is to dupe you out of your personal information and access credentials, and then proceed to use them in various illicit activities – identity fraud or sell them on marketplaces found in the internet’s seedy underbelly.
Figure 1. Legitimate (L) versus fake (R) Instagram login page
Common strategies include evoking a sense of urgency, by sending out fraudulent emails claiming that someone unauthorized may have logged into your account. The email usually includes a fake password reset link that, once clicked, will navigate you to a faux Instagram login page which will harvest your credentials and allow the scammers access to your account. Alternatively, the fraudsters may imply that you are in trouble due to copyright infringement and that you must set the record straight, by clicking on a link and filling out a form. However, if you do that, you’ll be redirected to another faux login page. And they don’t tend to stick to emails, sometimes fraudsters will try to impersonate Instagram support and contact you through direct messages as well.
To avoid falling victim to these scams, watch out for telltale signs such as poor grammar, or the use of generic greetings instead of personalized ones. Another thing to look out for is the sender’s email address, if it isn’t associated with an official email address it most probably is a scam.
Attack of the clones
While browsing Instagram, in search of a celebrity or sports team account you’d like to follow, chances are that you’ve stumbled upon several doppelganger accounts. However, these clone attacks aren’t really limited to popular actors, singers, or athletes. Cybercriminals can as easily clone the accounts of regular Instagram users as well. They’ll then go on to impersonate the people in the accounts they cloned and try to reach out to their friends and followers.
From that point, the ruse is quite simple; the attackers will claim that legitimate account that they have cloned has been hacked, this is the new one and that “hackers” have cleaned out the account owner’s bank accounts, or claim that the account owners are in some other kind of monetary jam. With a bit of proper social engineering and luck, the main victims are scammed out of their hard-earned money in the belief that they are helping out a beloved friend or relative.
And if you think that this scam is hardly plausible and people couldn’t possibly fall for it, you’d be, unfortunately wrong. ESET Security Specialist Jake Moore carried out a successful experiment where he was able to prove the viability of the scam by cloning his own account. The quickest way to check whether you’re being contacted by a cloned account is to reach out to your friends through an alternative method like a phone call. To keep your own accounts safe, you should lock them down and keep them private, as well as be picky about who you allow to follow you.
The verification badge scam
Speaking of cloned accounts, another thing you need to watch out for are account verification scams, or verification badge scams if we want to be exact. In short, if you see a blue checkmark next to an account’s name be it a celebrity, influencer, or brand, it means it’s the real deal. “At its core, verification is a way for people to know that the notable accounts they are following or searching for are exactly who they say they are. It’s a way for people to know which accounts are authentic and notable,” reads Instagram’s description of their verification badges.
Being verified basically also means you have a large audience that follows you and you are influential to a certain extent within your community. This also opens up doors to various opportunities like monetizing your content through sponsorship deals with various brands that might offer you to showcase their products. And the desirability of that coveted badge is exactly what the fraudsters are betting on. The scam is relatively straightforward: the scammer will contact you, probably through a direct message offering to get you verified for a fee. However, if you pay up the only thing that will be verified is the fact that you became the victim of a scam.
While most people associate romance scams with dating applications, they can occur on social media like Instagram as well. These types of scams, however, require the scammer to play the long game and earn their potential victims’ trust.
This will usually involve a prolonged courtship, which will probably start with the attacker liking the victim’s posts, commenting on them, and eventually directly messaging them. Once the scammer believes they have the target wrapped around their finger, they will start asking for money to help them with a fake medical emergency or help them fund a flight to see their paramour. It is safe to say, that the money they receive will be squandered on other things rather than any visits.
The threat of romance scams shouldn’t be taken lightly, in 2020 reported losses from them reached a whopping US$304 million according to the US Federal Trade Commission, and that’s the just the cases that were reported and just in the US. Fortunately, there are several ways you can spot a faux lothario trying to romance you out of your money. If your would-be flame looks too good to be true perform a quick reverse search of their photos on Google images to find out if they’re really who they say they are. If they keep rescheduling or finding excuses to not meet, you should become suspicious and question them about their motives. Another telltale sign is if they try to dodge video calls, since it may reveal that they don’t look anything like their profile.
Beyond allowing users to follow acquaintances, celebrities, and influencers for their content, Instagram also allows brands to advertise their wares and even functions as a marketplace. Over time you might see more and more ads popping up offering products by supposedly new and upcoming fashion brands or others that are closing down and having a clearance sale.
However, not all of them can be taken at face value and some of them can turn out to be outright scams. That’s where your natural curiosity and vigilance come in. If you’ve never heard of the brand or the vendor, it doesn’t necessarily mean you’re dealing with a scam straight away; but it should inspire you to do your due diligence. Ads might be trying to sell you on high-quality products for rock-bottom prices; that should immediately raise an eyebrow at the very least. And if you do risk ordering something, you might not receive it at all, you might get a product of an inferior quality or you might get something you didn’t even order.
Perform a Google search, look for reviews about the vendors and the products they offer and see if anything comes up. It’s highly improbable that you’ll find anything directly on their site since they will be moderating it, but victims of scams will quickly share their experiences on relevant review websites and online forums. You might also want to keep an eye out for clearly fake reviews; these will likely be riddled with spelling mistakes and trying to contradict any negative reviews, and will probably describe the company and its products in superlatives.
Social media companies try to moderate their platforms and keep them as clean as possible, however, it remains difficult to crack down on fraudsters who are determined to trick victims out of both sensitive data and their money. On the bright side, you can spot most scams coming from a mile away if you just approach everything you see with a healthy dose of doubt and remain vigilant.
Therefore, the best piece of advice is the one that has been repeated many times over: don’t blindly trust and always verify. Be wary of unsolicited emails, if anything seems out of place investigate it and if something looks too good to be true it most probably is a scam.
written by Amer Owaida, ESET We Live Security