“Nasty List” phishing scam spreads across Instagram
A phishing scam is spreading across photo sharing platform Instagram that tells would-be victims that they have been featured on something called a “Nasty List”.
The scam starts when an Instagram user receives a direct message from an account they are following that claims the user has been featured on a “nasty list” and provides a link to another Instagram account, whose handle begins with @The_Nasty_List followed by a random number. An example of a message can be seen below –
John, OMG your actually on here, @The_Nasty_List_522, your number 15! It’s really messed up
The Instagram handle (beginning with @) is clickable, and this message has been designed to lure the recipient of the message into clicking on the linked profile.
Clicking the profile takes you to that Instagram profile which contains a link in its profile description where users can apparently see this so-called “nasty list”. However that link leads to an external website that appears to be the Instagram login page. But it isn’t … it’s on an external website that has nothing to do with Instagram, and if a user enters their username and password, they’re sent straight to the crook behind the scam.
Sponsored Content. Continued below...
Once the crook has the user’s username and password, they now have access to that user’s account (unless the user enabled 2FA) and can start spreading the same phishing message to the Instagram friends of that account.
Despite many user’s falling for this scam, avoiding it is incredibly simple.
First, be wary of any suspicious or unexpected messages sent through Instagram (or any other social media website) even if they appear to be from friends and especially if they urge you to click a link.
Sponsored Content. Continued below...
Secondly, if you find yourself on what appears to be a login page asking for your username and password, check the web address (the URL beginning with WWW.) to see if it belong to the website. In this case, Instagram.
Thirdly, enable two factor authentication or two step verification for your important online accounts, including Instagram. This means anyone logging into your account will also need an extra piece of information other than just the password.
In the case of this “nasty list” phishing scam, other than using compromised accounts to further spread the phishing message, it doesn’t appear the people behind the scam are using the compromised Instagram accounts for anything else.
Continued below...
Thanks for reading, we hope this article helped, but before you leave us for greener pastures, please help us out.
We're hoping to be totally ad-free by 2025 - after all, no one likes online adverts, and all they do is get in the way and slow everything down. But of course we still have fees and costs to pay, so please, please consider becoming a Facebook supporter! It costs only 0.99p (~$1.30) a month (you can stop at any time) and ensures we can still keep posting Cybersecurity themed content to help keep our communities safe and scam-free. You can subscribe here
Remember, we're active on social media - so follow us on Facebook, Bluesky, Instagram and X