Phishers are using Instagram’s coveted blue tick to get people to share their data.
An email security provider called Vade Reports(Opens in a new window) that phishers have sent messages to Instagram users claiming that they can be verified on the service if they fill out a form within 48 hours. This form asks users to share their names, as well as the username, phone number, and email address associated with their account before asking them for passwords as well.
“The body of the text explains that the victim’s Instagram profile was reviewed and found suitable for verification,” says Vade. “The Instagram and Facebook logos in the header and footer of the email attempt to create an air of legitimacy, as does the use of the victim’s actual Instagram handle, showing that hackers have been researching the their target before the attack. “
Vade says the message appears to have been sent from an email account called “ig-badge” and is accompanied by a subject line that simply reads “ig bluebadge info”. The company also notes that scammers make grammatical errors throughout the initial message and in the malicious form itself, both of which are common indicators that something is phishing.
These warning signs are easy to ignore, however, especially when scammers target Instagram users who would like to be verified and fear they will miss out if they don’t fill out the form within 48 hours. Even people who know how these attacks are typically carried out can find themselves(Opens in a new window) be caught by phishers if they are faced with the appropriate bait.
“Many people like Instagram’s blue badge for the social status it conveys, which could cloud their judgment [sic] when the opportunity to obtain it is presented, “says Vade.” Even social verification remains a mysterious and misunderstood process known only to the social platforms that control it. This makes victims more likely to trust emails and websites developed by malicious third parties. “
Recommended by our editors
The company says it started noticing signs of these attacks on July 22. On two occasions, attackers sent more than 1,000 emails a day, but the number of daily messages decreased over time. Combine this with scammers’ knowledge of target usernames and Vade believes this was a targeted campaign rather than a broader attack on Instagram users.
But it’s still worth remembering that Instagram doesn’t proactively ask users to go through the verification process, says Vade, and instead requires users to request to be verified themselves. (In other words: the blue tick comes to those who ask.) Any email, text message, or other communication that requires private data, especially passwords, should be considered suspicious.
Do you like what you are reading?
Subscribe to Security Watch newsletters for our best privacy and security stories sent straight to your inbox.