Beware promises of blue check marks.
Phishers are using Instagram’s coveted blue check mark to convince people to share their data.
An email security provider called Vade reports(Opens in a new window) that phishers have been sending Instagram users messages claiming they can be verified on the service if they fill out a form within 48 hours. This form asks users to share their names as well as the username, phone number, and email address that’s associated with their account before prompting them for their passwords as well.
“The body text explains that the victim’s Instagram profile has been reviewed and deemed eligible for verification,” Vade says. “The Instagram and Facebook logos at the header and footer of the email attempt to create an air of legitimacy, as does the use of the victim’s actual Instagram handle, showing the hackers researched their target before the attack.”
Vade says the message appears to be sent from an email account called “ig-badges” and is accompanied by a subject line that simply reads “ig bluebadge info.” The company also notes that the scammers make grammatical mistakes throughout the initial message as well as the malicious form itself—both of which are common indicators that something is phishy.
These warning signs are easy to overlook, however, especially when the scammers target Instagram users who would like to be verified and fear they’ll lose their chance if they don’t fill out the form within 48 hours. Even people who know how these attacks are typically carried out can find themselves(Opens in a new window) being reeled in by phishers if they’re confronted with the appropriate lure.
“Many people prize the Instagram blue badge for the social status it conveys, which may cloud their judgement [sic] when presented with the opportunity to obtain it,” Vade says. “Social verification also remains a mysterious and misunderstood process, known only to the social platforms that control it. This makes victims more likely to trust emails and websites developed by malicious third parties.”
The company says it started to notice signs of these attacks on July 22. On two occasions the attackers sent more than 1,000 emails per day, but the number of daily messages has decreased over time. Combine that with the scammers’ knowledge of the targets’ usernames and Vade believes this was a targeted campaign rather than a broader attack on Instagram users.
But it’s still worth remembering that Instagram doesn’t proactively ask users to go through the verification process, Vade says, and instead requires users to request to be verified themselves. (In other words: The blue check mark comes to those who ask.) Any email, text message, or other communication that asks for private data—especially passwords—should be considered suspect.
