Chapter 1: Understanding the Scam

Each month, I receive messages on Instagram from various accounts claiming to represent the platform, threatening to terminate my handle unless I click on fraudulent links designed to steal my personal information. Their primary objective? My blue verification badge.

Although I’m not a celebrity, I do have a verified account due to a previous role managing the company’s Instagram. I frequently receive dubious messages asserting that my profile has breached copyright laws and will be deleted in 24 hours unless I submit a form. While it's easy to ignore these scams and report them to Instagram, I recently opted to engage with these scammers to uncover more about their tactics.

Before we proceed, let’s clarify: Instagram does not send direct messages to users regarding policy violations. Instead, if a post is found to be in breach, it is simply removed, and the user is notified, with an option to appeal the decision.

I’ve interacted with around a dozen of these scammers, and I've learned some valuable insights about their methods, which one scammer claimed "too many" people fall for. This phishing scheme represents a common con aimed at tricking individuals into divulging sensitive information. The latest iteration on Instagram is particularly effective, as these messages can originate from verified accounts, lending them an air of legitimacy.

In essence, for scammers, blue check marks serve as a gateway to more blue check marks. Users mistakenly trust these hijacked accounts, share their details, and subsequently fall victim to the same fate. The process to obtain Instagram verification and the coveted blue badge remains somewhat obscure, yet it is highly sought after and acts as a symbol of authenticity.

Last year, numerous media outlets highlighted incidents where verified accounts belonging to actors, brands, and even regional entities like The North Face were hijacked and turned into spam accounts. OneZero even documented examples of scammers seizing verified accounts from NFL players and financial institutions.

The first video titled "INSTAGRAM VERIFICATION SCAM (Honest Guide)" delves into the tactics used by these fraudsters, revealing insights on how they operate and tips on safeguarding your account.

Chapter 2: A Closer Look at the Methods

In 2020, the verified account of Reggie White Jr., a player for the New York Giants and current CFL athlete, was compromised. He later informed OneZero that he was deceived by the same scam that his hacked account was now perpetuating.

Over the past several months, my conversations with these scammers have provided further clarity about their approach, with one phisher claiming to ransom popular accounts.

The initial messages from the fraudsters vary slightly but consistently include a clear demand: fill out a form on a website with your email and password, or risk account deletion within a specified timeframe. In one instance, the message specifically indicated that verified accounts were being targeted, stating, “Your blue badge Instagram account has been flagged as spam by our Instagram team.”

The irony is that the only way these scammers can take action against your account is if you provide them with the information they seek. Each of these messages links to a site that appears somewhat legitimate, featuring Facebook or Instagram logos and professional-looking designs. However, upon closer inspection, it’s evident that these URLs do not belong to the actual Instagram or Facebook support websites.

To gather more information about the scam, I devised a simple strategy to engage with the fraudsters and waste their time. I confirmed the deadline they claimed for my account's deletion, and once that time passed, I messaged them from my still-active account to challenge their threat. Some scammers hesitated and altered the deadline, while others ceased communication or remained committed to their scam.

In one instance, a scammer offered to buy my account, proposing $1,000 for my handle or even suggesting a trade for another account with 200,000 followers, which likely was another ploy to deceive me.

In an interview with OneZero, an Instagram spokesperson advised that the best way to report a hacked account is to flag the account or specific messages as spam. Some scammers even sent me screenshots of hacked accounts boasting tens of thousands of followers, offering trades for one of these accounts. One scammer claimed that there was "no risk of getting caught" and that he could return hacked accounts for a fee of $300 to $400.

While many of the messages I encountered were in Turkish, and some claimed to originate from Turkey, it remains unclear how many were from the same individual or how these fraudsters coordinated their efforts. Malware researchers on Twitter have also noted this trend, highlighting the use of the Turkish language.

Digital security expert Alan Neilan shared that he has discovered Instagram phishing sites by examining certificate transparency logs for suspicious domains—websites that appear to serve one purpose but ultimately aim to deceive users. He and other researchers have found pages masquerading as Instagram support sites, only to redirect personal information elsewhere.

What remains ambiguous is how these scammers identify their target accounts and what their ultimate goals are. Besides sending spam or attempting to reclaim profiles, hackers might sell verified accounts on platforms like OGUsers or keep them for personal use.

Initially, I reported these accounts for impersonation. However, I consistently received notifications stating that the flagged account was not violating Instagram’s policies. While some of these handles seem to have been suspended over time, others, such as Reggie White Jr.’s, remain active and verified, seemingly free to continue their fraudulent activities.

In an interview, the Instagram spokesperson reiterated that the best way to report a hacked account is by flagging it or related messages as spam. They also emphasized the importance of enabling two-factor authentication for added account security and reiterated that Instagram never messages users regarding copyright complaints.

Neilan emphasized that addressing this issue may require domain registrars and hosting providers to take more proactive measures. While Instagram can respond to reports, companies that manage domain name registrations should be more diligent in approving domains that appear suspicious.

To conclude, here are three critical takeaways for navigating the Instagram landscape:

1. Just because an account is verified doesn’t mean it’s trustworthy.
2. Instagram representatives will never DM you about copyright issues.
3. Ultimately, no one escapes this world unscathed.