Instagram story spam claims free Apple Watch

Instagram story spam claims free Apple Watch

I have to admit, I’m not 100 percent sure who Elton Castee is. “Who’s that?” you ask? Digging around revealed that he’s big on YouTube, has done some films, and raises money for dogs, which is very cool. He’s also popular on Instagram, with 400k+ followers. With that in mind, we’ve seen a few reports of his account being compromised (and by “few”, I mean “absolutely loads”), and decided to check it out.

insta hacked

Click to enlarge

A phony phone giveaway

Visiting on the web while not logged in reveals the most recent post looks a little different from the other selfies:

insta wassup

Click to enlarge

A single white text on black background, which reads as follows:

Wassup guys! I am giving away 100 free iPhone X’s and Apple watches on my IG Story! Claim them before it’s too late. Love you guys (emoji heart thing)

Visiting the Instagram app while logged in immediately takes you to an Instagram Story. If you’re not familiar with an Instagram story, it’s a rotating set of images/video that you swipe through one after the other.

stories pic 1

Click to enlarge

stories pic 2

Click to enlarge

Swiping up on any of the images redirects you to the below Apple Watch giveaway website, located at:


Click to enlarge

Please choose which Apple watch you would like to receive 

Once you’ve selected your preferred watch (in this case, some sort of neon yellow thing with a sport band), you’re asked to click “Confirm” and move to the next stage.

pick a watch

Click to enlarge

We’re now faced with a series of text boxes so the personal information data input games can begin.

Click to enlarge

Full name, email, street, city, zip code, and country are all requested on this page. Take note of the very specific wording:

Thank you for completing the offer. We now require your address in order for us to send you the item.

There’s nothing ambiguous there, right? Give address, receive item. And yet…


Click to enlarge

Wait, “locating?” I thought you already had my watch? Why are we trying to locate one? I already gave you all that juicy personal information! What happens if there’s no stock?

are you human

Click to enlarge

Oh, phew, it’s available. But…now I have to confirm I’m a human and not a bot, so they can “prevent spam,” because apparently bots have a thing for filling in their personal information and having neon sports watches delivered to their home addresses. If I know my Internet antics, this is surely going to end with a pile of surveys to choose from:

last step

Click to enlarge

Hooray, a pile of surveys to choose from!

In practical terms, what this means is you’ve already handed over a bunch of personal information to goodness knows who, and now you’re being asked to do the exact same thing for a third-party entity of your choice. Quizzical eyebrows were raised at the text, which states:

This page will unlock and ask for your shipping address

Because I’m almost certain we already did that a few pages back.

I suppose you could pick the iPhone X competition and complement the watch, which is surely going to arrive at some point, but from experience, we’d advise you to steer well clear of too-good-to-be-true freebie offers such as these.

Instagram lockdown

There are, of course, things you can do to help keep your Instagram account safe from harm. It’s possible there are additional security measures in place for a verified account, and we don’t know what’s happened in this case to allow spam to be posted, but some general tips for protecting your Instagram are always a good thing.

A strong, unique password, a password manager (if that’s your thing), a locked down email account tied to your Instagram, logging out if at a public terminal (or your own device, if you want to be super sure), and enabling two factor authentication are all great things to set in motion.

Any social media account doing big numbers is always a prime draw for scammers—from Myspace to Facebook and Tumblr to Twitter, swiping just one big name can result in spam, clicks, and even possibly malware galore for the fanbase. Hopefully Elton will regain access to his account shortly, but for now, try to avoid winding up in a similar situation to Elton, Alicia Keys, or anyone else struck down by a bout of spammy antics. Your followers will thank you for it.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.