Rudick Law Group is reaching out to inform you of an ongoing cybersecurity threat that’s affecting our community. Scammers are using the possibility of Instagram account verification to steal personal information and convince users to send them cash. Here’s what you need to know:
Not Every Email is What it Seems
This scam works because it looks legitimate. While most of us know about “phishing,” this phishing scam stands out because it’s visually convincing. Instagram users receive an email that spoofs Meta’s formatting, including colors, fonts, and style. The email alerts the user that they have qualified for verification and asks the user to click on a link to go through the “verification" process.
What to Do: When you receive any email that asks you to click on a link and input information, especially one you weren’t expecting, it’s time to investigate.
If possible, open the email on a computer, rather than a mobile device, as this makes it easier to see suspicious email addresses or link urls.
Check the sender’s email address carefully for indications that the sender isn’t who they claim to be. Is the company name correct? Are there spelling errors, or does the address contain a different person's than the claimed name of the sender in the body of the email?
Check the url of the link in the email before clicking. Depending on your computer, this may mean hovering your cursor over the link, right clicking, or holding down on the link on some mobile devices. Does the link match the business you were expecting? When you search for the link via a search engine, what comes up?
If the business has an app, check the app. Many companies that request information via email will also alert users to information requests via their app.
Most Scammers Get Information About You From You
This scam works because it convinces you to hand over control of your account. If you click on the link included in the scam email, you’ll be directed to a spoofed landing page that mimics Meta’s own websites. You’ll be asked what seem like routine questions about your account, including your handle, linked email, linked phone number, and/or password. The questions are often phrased as if they are aimed at verifying the information the sender already has (think “confirm your…” rather than “what is...”). If you provide this information, the scammer will use it to assume control of your account.
What to do: When an email routes you to a website, it’s time to check if the website is legitimate.
In addition to checking the url and any applicable app, use search engines or AI tools to check results for a given url. This can help you spot a convincing fake before you put in information.
Check the referenced company’s website to see if they have any policies on how they ask for information.
If all else fails, consider calling customer service numbers or using help chats to ask if a website is legitimately affiliated with the company it claims to be affiliated with.
Surrendering Control Happens Subtly and Quickly
This scam works because the theft happens before the user realizes they’ve been hacked. After providing information via the scam link, users receive a follow up email asking them to log out of Instagram and/or uninstall the app. Often users receive an additional follow up email telling them that “verification” will take up to 48 hours to complete, sometimes mentioning that the user may not be able to access their account during that time. This logs users out of the app, allowing someone else room to log in, and decreases the likelihood that a user will notice something wrong before the scammer has control over the account.
What to do: When you make a mistake, it’s time to fight back.
Everyone makes mistakes and gives out information they shouldn’t have. Don’t panic!
First, don’t log out of accounts or uninstall apps.
Instead, change passwords for all accounts that use the email address affected or the password affected, as well as any accounts that are linked to those accounts.
Consider a password vault program to make storing and using strong passwords easier.
Monitor your accounts for suspicious activity and turn on multi-factor authentication where you can.
Money is the Ultimate Goal
This scam works because people reuse passwords. A scammer who gets information from a link like this will see what other accounts they can access with the information you provided. They often use this information to contact you (usually via WhatsApp, Signal, email, or other social media) and ask for money in exchange for control of account back. However, by this time, Meta has often noticed the unusual activity and banned the affected account.
What to do: When you receive a ransom request, it’s time to reach out.
Contact the company who hosts the affected account via their contact information listed in the terms of use, their help center, or their social media. Let them know about the unauthorized activity (using screenshots if you can) and ask for help. Friends and family can help you report as well.
Consider reporting to government organizations like your state Attorney General, the FBI, and/or CISA. Many hacking groups have ties to crime or sanctioned activity, so reporting can be invaluable.
Call your lawyer and your cyber insurer. You have options, and you deserve to know what they are.
Rudick Law Group is proud of our efforts to keep our clients safe from cyberattacks. Are you ready to improve your cybersecurity practices? We can help.
RLG’s LEGAL LIBRARY
Browse the full Legal Library here.
Stay in touch with the Rudick Law Group. Get this news direct to your inbox.
Need legal help that doesn’t kill the vibe? Visit our website contact page here. To stop receiving emails, unsubscribe at any time using the link below.
