Skip to main content

Instagram scams and how they work

The Instagram app on an iPhone screen
(Image credit: Pixabay)

Instagram, the social media giant with more than a billion active users, couldn’t possibly stay on the sidelines of cybercriminal activities. Malefactors are constantly perpetrating scams that zero in on Instagrammers’ sensitive data, or promote dubious web services hosting potentially harmful or offensive content. 

Moreover, these stratagems are becoming increasingly crafty and evasive. In this article, I’ll take a dive into the common frauds circulating in the Instagram environment, and how cybersecurity (opens in new tab) can prevent them.

Adult services promoted in a multi-pronged spam campaign

Bots pushing NSFW services on Instagram are nothing new. They have been around for years, hoodwinking users to click dodgy links that lead to embarrassing materials. The crooks’ motivation is to monetise the ill-gotten traffic – the more leads the more money. 

To its credit, the social network has made its automated detection mechanisms effective enough to kick most of these hoaxes away. In response, malicious actors have refined their modus operandi to slip under the radar of the growingly intelligent security practices.

In a recent campaign, the spammers are leveraging a multitude of ostensibly benign-looking accounts to orchestrate the fraud in several steps without raising red flags. The scam starts with such an intermediary account following a large number of regular Instagram users. 

The bio in the bot’s profile gives people some clues on what kind of content it offers, but the text contains extra spaces and periods so that the network’s anti-fraud tools don’t identify any signs of inappropriate activity easily.

Another evasion trick is that these accounts don’t contain links to external adult resources proper, and yet they lure the users to go to other Instagram accounts that push porn in a more explicit way. In particular, they include a non-obfuscated phrase about the true nature of the promoted content and provide a Bitly-shortened link to a target internet resource.

Some of the linked-to accounts don’t look so straightforwardly sketchy, though. They may have up to three garden-variety photos suggesting no sexual implications whatsoever. The descriptions underneath these images are snippets from well-known novels by Alexander Dumas or George R. R. Martin, which is why researchers dubbed these profiles the “Novel bot accounts”. 

Although they provide no links in the profile information, the users will be enticed to visit an adult site once they start a private conversation with the bot. Some porn bots join large Instagram groups and create chats with provocative themes or encourage people to complete sex-related surveys. 

This way, the threat actors try to dupe users into clicking a link to an adult dating website. To add an extra layer of trustworthiness, the spammers may forge a “Leaving Instagram” page that wrongfully flags the destination site as a safe one. Interestingly, non-mobile users are forwarded to harmless pages containing no adult materials. This could be a trick to prevent an in-depth analysis of the campaign on computers.

“The Nasty List” phishing wave

One more ruse targeting Instagram users is a toxic combo of social engineering and hacking. Its operators are spamming would-be victims with messages saying that they ended up on what’s called “The Nasty List”. 

These messages capture the recipients’ attention due to phrases like “Wow you are really on here, ranked 20, this is horrible!” The wording varies, but the idea is the same – to get users curious and nervous about private photos or videos of them allegedly getting publicity.

In case the targeted person falls for the trick and clicks the embedded link for details, they are forwarded to another user’s profile named “the_nasty_list_88” or similar. The description in it contains a link that supposedly leads to the mysterious list. In fact, though, the landing site is a phony Instagram login page. 

Although it has an authentic design and logo, the URL has nothing to do with the social network. Some people may overlook the totally wrong address and enter their username and password, only to expose the account credentials to the scammers.

Once the attackers have the access details, they take over the account and send “The Nasty List” messages to all of the victim’s followers. This way, the hoax goes on and more people’s accounts get compromised. Those who got on the hackers’ hook and can still log into their account should immediately check whether or not the contact information has been modified. After ascertaining that it’s valid, the next important step is to change the password.

Shady Android apps pilfering Instagram credentials

Getting more followers on Instagram is on many users’ wish list. However, a rule of thumb is to exercise caution with the ways of achieving this coveted goal. Security analysts spotted about a dozen apps on the Google Play Store that claimed to boost the audience of one’s followers. It turned out, though, that this promise was nothing but a red herring that distracted the victims from a credentials theft attempt.

According to researchers’ findings, the impostor apps were most likely developed by a Turkish coder, with most of them being intended for Turkish-speaking audience. The unscrupulous author was able to bypass Google’s security checks and uploaded his contrivances to the official Android software marketplace. The catch was that the apps were advertised as a quick and easy way to get a large number of Instagram followers.

Once unsuspecting users installed these apps, they would see a copycat Instagram sign-in screen. The credentials entered in it were instantly submitted to the attacker in plaintext. Every login attempt would be accompanied by an error saying that the authentication was unsuccessful. At the end of the day, the users would be asked to log in from the official Instagram site and complete the app authorisation from there. By that time, however, the hacker had already accessed the account.

Security experts claim the objective of this account takeover was to sell Instagram likes and drive new followers for interested parties. Fortunately, all of these apps were eliminated from the Play Store shortly after their shenanigans were reported to Google.

Scammers offering a bogus verification service

Verified Instagrammers enjoy special perks, including extra visibility on the social network and hence opportunities to earn from cooperation with advertisers. It comes as no surprise that lots of people badly want this status. Con artists, in their turn, take advantage of this whole hype to defraud users of their money.

In one of such campaigns currently doing the rounds, light-fingered individuals are contacting celebrities and other influencers with a very unusual deal. They are offering an Instagram verification service for a fee. The amount is $450 if the payment is made with Amazon gift cards, and a $150 discount takes effect if the user chooses to send the funds in cryptocurrency. 

The reason why the scammers prefer these particular payment channels is because such transactions cannot be reversed due to fraud reports or similar complaints. Although the crooks claim the paid verification takes up to one hour, the targets end up losing their money and never get their badge. 

A particularly alarming thing about this ploy is that the fraudsters themselves are verified Instagram users. Analysts argue that these accounts may have been hacked, and the messages are being furtively sent on behalf of trusted members of the community.

The takeaway from the story is that you cannot buy Instagram verification. You have to earn it. If someone is offering such a service, don’t engage in any interaction with the criminal and be sure to report the hoax to the social network.


Instagram’s automated fraud detection systems are undoubtedly effective, but they cannot possibly fend off all the scams. Why? Because there is a human factor that might play into the wrongdoers’ hands as long as they pull the right strings. If you receive an offer that looks too good to be true, ignore it. 

Here are a few more tips to stay safe on Instagram: use a strong password for your account, enable 2FA, avoid oversharing, learn to identify phishing attempts, and don’t click suspicious links sent by strangers.

Further reading on social media and cybersecurity

Instagram users have previously seen Facebook store millions of Instagram passwords in plain text on its servers (opens in new tab), while email fraud has hit financial businesses (opens in new tab). In this vein, it's easy to see why fraud detection needs a reboot (opens in new tab).

If you feel like getting rid of this social network, learn how to delete an Instagram account (opens in new tab); and discover how even enterprises are being targeted by cybercriminals over social media (opens in new tab). We've also outlined how to mitigate the threat from social media cybercrime (opens in new tab); how hackers use social media to profile targets (opens in new tab); and why social media matters more than ever in the SaaS world (opens in new tab).

James Herrin, CEO VPN Review.