Every month, a couple accounts contact me on Instagram, say they work for the platform, and threaten to delete my handle unless I click on bogus URLs designed to collect my personal information. As far as I can tell, they’re after one thing: My blue check mark.
I’m decidedly not famous, but I have a verified Instagram account thanks to a previous job. (I ran the company Instagram, among other things.) Scammers often send me sketchy messages saying my profile has violated copyright law and will be removed in 24 hours if I don’t fill out a form. I could safely ignore the scam, and I often report it to Instagram. But lately, I’ve decided to message the tricksters back to see what I can learn about the grift.
Let’s make one thing clear before we continue: Instagram does not DM users if their posts are found in violation of the company’s policies, including copyright. The offending post would instead simply be removed, and you’d receive a notification about this action, which you could then appeal.
I’ve responded to a dozen or so of these scammers, and I’ve gleaned some new details about the method, which one phisher says “too many” people to count fall for.
The hustle I’m experiencing is an example of a phishing scheme, a common con used to trick people into sharing private information. This new Instagram strain has an added element that increases its potency: These messages can come from verified handles, which makes them look more legit.
In other words, for scammers, blue check marks can beget more blue check marks. Users are tricked into trusting the hijacked accounts, hand their information over, and get taken over themselves. Though the criteria and process around attaining Instagram verification and the resulting “blue check” badge in the first place are opaque, the designation is desirable, and functions as a badge of authenticity.
Last year, several news outlets and social media posts reported that verified accounts for actors, soft drinks, and regional handles for brands like The North Face were being compromised and flipped into spam bots. OneZero found examples of scammers using yoinked blue-check handles from NFL players, banks, and an account affiliated with the Turin International Book Fair.
New York Giants and current CFL player Reggie White Jr.’s verified account was compromised in 2020. In an Instagram DM from his new account, he told OneZero that he was tricked with the “exact” same scam that his hacked account was now sending around.
Over the past six months, I’ve responded to a dozen or so of these scammers, and I’ve gleaned some new details about the method, which one phisher says “too many” people to count fall for, and another says he uses to ransom popular accounts.
The opening script the grifters use varies slightly, but sticks to a pretty clear ask — fill out a form on a website with your email and password, otherwise your account will be deleted within a window of time. In one version, the initial text made it clear verified accounts were being targeted in particular, reading that “Your blue badge Instagram account has been reviewed as spam by our Instagram team.”
Of course, ironically, the only way these people will be able to do anything to your account is if you give them the information they’re asking for. In all of these cases, the site linked in the DM looks vaguely legit, featuring Facebook or Instagram’s logo and corporate-looking graphic design. But after checking the URL, it was clear it did not belong to the official Instagram or Facebook support websites.
So, here’s my simple method to get some additional info on the con, and generally waste the trickster’s time. In my conversations with the scammers, I first confirmed the deadline time they said my account would be deleted. After the time passed, I messaged them from my very much still existing account to call their bluff.
At that point, some delayed, changing the deadline again. Others stopped responding, or stuck with the scam as I continued to circle back. To stop my pestering, one even said that my account now “complies with the policy violation” and there was no longer any need to fill out the form.
However, several accounts eventually admitted that the whole thing was a trick — and then offered to buy my account instead. One sock puppet offered to pay $1,000 for my handle, or trade it for a different account with 200,000 followers, which was likely just a different approach to scam me.
In an interview with OneZero, a spokesperson for Instagram said the best way to alert the platform to a hacked account is report the account, or specific message, for spam.
Another sent me screenshots showing apparently hacked accounts with tens to hundreds of thousands of followers, offering me a trade for one of them. He said that, for him, there was “no risk of getting caught” and said he gives people back their accounts “for a fee” of $300 to $400.
Though several screenshots sent from the scammers showed the Turkish language, and some said they were from Turkey, it’s unclear how many of these messages were from the same person, or how these phishers were coordinating.
On Twitter, malware researchers have also identified the trend, noting the Turkish language being used.
Digital security researcher Alan Neilan told OneZero he’s found Instagram phish pages by combing through certificate transparency logs for shifty domains — sites that look like they’re doing one thing, but are really doing another. For instance, he and others have found pages that look like Instagram support sites, but really feed info elsewhere.
What’s not yet entirely clear is how scammers are finding the accounts they target in the first place, and what the end goal of this whole racket is. Besides sending more spam or ransoming profiles back to their original owners, hackers could potentially sell a verified account on forums like OGUsers, or simply keep the handles for themselves.
I also wasn’t immediately sure how to deal with these frauds once they stopped talking to me. At first, I reported these accounts for impersonation. However, each time I received a notification that the account I flagged wasn’t found to be violating any of Instagram’s policies. Some of these handles appear to have been suspended or deactivated in the weeks and months following our contact anyway, but others, like Reggie White Jr.’s, are still active and verified, apparently free to continue scamming.
In an interview with OneZero, a spokesperson for Instagram said the best way to alert the platform to a hacked account is to report the account, or specific message, for spam. The rep also emphasized the importance of turning on two-factor authentication to add another layer of security to your profile and reiterated that the company never DMs users about copyright complaints.
Neilan says that solving the problem might be “moreseo up to the domain registrars and hosting providers do to their part to combat this stuff.” While Instagram can play whack-a-mole when it receives reports, he says companies that manage the reservation of internet domain names could do more to ensure tricksy sites aren’t getting approved in the first place.
“Like, if someone is trying to register a domain that looks sketchy, maybe have an actual person look it over.”
So, to close: When you’re out in the Instagram ether, remember these three things:
1. Just because an account is verified doesn’t mean you should trust it.
2. Instagram employees will never DM you about copyright claims.
3. No one is getting out of this world alive.