Hands holding a phone displaying Instagram

Phishers use verified status as bait for Instagram users

Another Instagram phish is doing the rounds, and will appeal to a wide variety of platform users. Bleeping Computer reports that verified status is once again being dangled as bait.

The “importance” of being verified

Being verified gives the impression of status, or importance, on social media platforms. Often, verification is more about simply confirming that someone is in fact who they claim to be. There are many verified accounts out there for people you’ll not have heard of, and that’s perfectly fine. At the other end of the scale, it is definitely an additional status symbol for people who care about such things. It’s also very handy where confirming that high profile accounts are in fact the real deal.

Scammers know this, and bank on it on a daily basis. Indeed, a whole sub-industry of fake verification services exists to part people from their money (and, potentially, accounts).

It’s not just the scams on the platform itself you have to be wary of. It’s the messages bouncing around off-platform too.

The phish in motion

No fewer than 1,000 phishing messages per day were sent in this particular campaign, peaking at the end of July and early August. The mails, branded to resemble official Instagram / Facebook missives, read as follows:

Your Instagram account has been reviewed by us and has been deemed eligible for a blue badge. To get your blue badge, please click the badge form button below and fill the form carefully. Make sure you fill out the form correctly and completely. Otherwise, your account will not be verified. If you ignore this message, the form will be permanently deleted within 48 hours.

An interesting scam combo, here. The usual splash of time-related pressure to get something done “or else”. Add to this the suggestion that the hard part, actually getting verified in the first place, is all but done. All you have to do is click a button and essentially say “yes please”.

Sounds great. Sounds too good to be true. (Because it is.)

You won’t get something for nothing

The bogus website, adorned with several Facebook-centric logos, asks for username, password, email, and phone number. Anyone filling out the form and hitting submit is going to be very disappointed. The only winner here is the scammer, who now has everything they need to steal the victim’s Instagram account.

As highlighted by Instagram, notability—”Your account must represent a well-known, highly searched for person, brand or entity”—is a seemingly non-negotiable part of the verification deal. You won’t grab verification, no matter how many promises those dubious verification services make. 

If you’ve fallen for this, go and change your login details while there’s still time. Consider enabling Instagram’s two-factor authentication. You may be able to gain verification on other social media platforms even without what is considered to be a “notable” profile. As far as Instagram is concerned though, you’re just going to have to ignore those tempting email invitations.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.