"Free Steam game" scams on TikTok are Among Us

Phishers target TikTok influencers with verification promises and copyright threats

Influencers on TikTok are feeling the pinch of scams and phishing thanks to targeted campaigns hungry for fresh logins.

The phishing campaigns make use of much older tactics seen across multiple platforms down the years. It’s a one-two combo of “Do this quickly, or else something bad will happen”, combined with the the lure of increased social status for someone’s social media accounts. Shall we take a look?

“Support – copyright” mails go for the panic approach

People don’t want to lose their account due to accidental (or even deliberate) copyright infringement. Social media has a weird knife-edge of appearing to be a free for all, while routinely dinging accounts for copyright. Most platforms operate a sort of “three strikes and you’re out” policy. In this case, the scammers (who include a special kind of phishing link in the mail – more on this later) don’t waste any time:

Hi dear user,

Your account violates our copyright. Your account will be deleted from copyright within 48 hours, will not be re-entered if you think this is an error and you do not want your account deleted please reply to this email with “Confirm my account”. Copyright is very important to us. If necessary actions are not taken from our connection, you will be removed from our servers within 48 hours. Please do not change your password while your account is being examined.

There’s a veritable word salad bulging out of every other sentence. I’ve highlighted the important part in bold. They don’t want victims changing logins until they’ve taken full control of the account. This is a well worn tactic in 419 style scams, where the perpetrator warns the victim that whatever they’ve promised them will take a few days to happen. Definitely don’t tell anyone, or change details, or do anything else. They claim they’re taking care of it behind the scenes. In reality, they’re just stealing the account safe in the knowledge the victim is busy doing nothing to prevent this happening.

Verification woes

Getting a verification stamp on your social media profile is seen as a “special” form of status. We’ve seen years of scams along these lines for Twitter, where the promise of getting a checkmark results in account theft or even monetary loss.

It’s much the same thing here:

Hi dear user,

The account caught our attention and we examined the account. We saw that he shared his own original content. We offer the right to receive a verified badge for your account.

To get a verified badge for your account, you must identify that you are the real owner of the account. We will give you a form to verify that you are the true owner of the account.

To receive the verification form for your account, reply to this email by typing “verify my account”.

This is even more of a word salad than the original mail, but people still fall for it. You’re probably wondering what the “special kind of phishing link in the mail” is all about, right? Well, I’m glad you asked…

The special kind of phishing link in the mail

Scams like this typically send you to a phishing page. It might be well designed, it could be a mess, but a phishing page you shall have.

Not this one, however. They’re trying something a little fresher.

Scammers are wising up to the fact that folks may be using additional forms of authentication to protect their accounts. An easy way for them to combat this is to direct victims to WhatsApp chat rooms instead. From there, they can start asking for phone numbers, email addresses and (importantly) the 6 digit 2FA code sent to the mobile.

While the victim waits in chat, the scammers are busy punching in the login and 2FA code to hijack their account in real time. At the moment, it seems nobody knows for sure if the idea here is eventual extortion, a bit of “fun” trolling, selling the accounts on, or something else altogether. But whether your account is geared towards influencing or you just use TikTok for fun, it pays to lock things down and make use of TikTok’s security settings.

TikTok users are popular targets for people up to no good. You don’t want the hassle of trying to recover stolen accounts via customer support, especially as many organisations continue to be impacted thanks to the pandemic. Be cautious, have fun, and keep those accounts free from harm.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.