Getting verified on social media can make all the difference for an aspiring influencer which is why a new Instagram phishing campaign making the rounds online is trying to lure in users with the promise of a blue badge.
For those unfamiliar, Instagram users that have been verified by the Meta-owned social network receive a blue badge with a checkmark next to their username in a similar way to how Twitter handles verification.
First discovered by the email security company Vade back in July and detailed in a new blog post, the latest Instagram phishing campaign aims to dupe users into divulging their personal information and account credentials.
If you’re an active Instagram user with hopes of getting verified, you’ll want to be on the lookout for an email with the subject line “ig bluebadge info” with an email address that begins with “ig-badges”. While the email uses spoofed Instagram and Facebook logos at the header and footer to appear more legitimate, Instagram explains in a support page in its Help Center that verification is done entirely through its platform and never over email.
A classic case of phishing
Although an Instagram user eager to get verified may fall for this phishing campaign, closely examining the body of the email itself quickly reveals that it’s a scam.
Several grammatical errors and typos appear throughout the email and Vade points out that it also includes a phrase commonly used by scammers: “Thanks, you instagram team”. The email also tries to instill a sense of urgency by telling potential victims that “the form will be permanently deleted within 48 hours”.
The cybercriminals behind this new phishing campaign hope that Instagram users will be so excited about finally getting verified that they will overlook these details and click on the blue button at the bottom of the email which reads “Badge Form”.
Stealing user credentials and info with the promise of a blue badge
If a user ends up skimming through the email and clicking on the Badge Form button, they are taken to a malicious website with the domain name “teamcorrectionbadges”. Here, the scammers hope that victims believe Instagram uses a different website besides its own to verify users.
This Badge Form page also tries to appear legitimate by copying the brand colors of Instagram and Meta’s logo. However, there are also several grammatical mistakes and punctuation errors which are a dead giveaway that this is a scam.
A form prompts potential victims to enter their Instagram handle along with their name, email and phone number in order to be verified. After the page refreshes, another field appears where users are prompted to input their password and login.
After this is done, a confirmation message appears with a bogus Case ID and tells them that the team will contact them as soon as possible with the average time being 48 hours.
This particular Instagram phishing campaign began on July 22 and more than 1,000 emails were sent out per day to potential victims. Vade notes that the scammers behind the campaign did their homework and included each victim's actual Instagram handle in their phishing emails.
How to stay safe from verification scams
Verification scams have become more popular as social media platforms like Instagram and Facebook have grown inside.
In fact, according to Vade’s own Phiser’s Favorite Report, social media companies are the fourth most phished websites of any industry with Facebook being the second most impersonated brand.
Impersonating social media brands makes sense for scammers and verification is the perfect lure to trick users into giving up their credentials and personal information. At the same time, verification remains a mysterious and misunderstood process for many social media users.
To avoid falling victim to this and other verification scams, it’s important to keep in mind that social networks conduct verification assessments using their own platforms and never through email. Likewise, any email can be spoofed so you should always remain cautious when opening any message in your inbox, even if they appear to come from an official account.
When it comes to phishing, you should always look for the common signs of phishing scams which include instilling a sense of urgency along with spelling and grammatical mistakes.
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.