According to reports, Instagram users are affected by a new phishing scam called ‘The Nasty List.’ As the name suggests, the whole scam is all about stealing your Instagram login credentials and use those compromised accounts to promote the phishing scam further to target more victims.
Instagram ‘Nasty List’ scam first came to limelight after a Reddit post by a user molecularwolf appeared on the website, describing their experience. It starts with a simple DM (direct message) from someone in your contact saying you are in some ‘Nasty List’.
"So I logged onto Instagram yesterday and I had a dm from my sister. It said I was in some kind of “Nasty List”. Well I had just woken up and I was kind of out of it so I clicked on it because I was curious. I then realized that it was probably a virus, but too late, I had already clicked," said molecularwolf.
“About a day later someone starts sending dms to my followers from my account, in the same format that I had received from my sister. Turns out the same thing happened to her,” molecularwolf added.
The whole purpose of the message is to trick users into clicking on some dubious Instagram profile, explains Bleeping Computer. The profile includes a URL in its bio hosting a fake Instagram login page. Once you have entered your actual login credentials over there, your Instagram password will be compromised.
In a nutshell, hackers are simply using ‘Nasty List’ as an excuse to tap into your fear that you don’t want to be on the list or you might as well want to click on the URL and log in through a fake Instagram page out of curiosity. Either way, your Instagram credentials will end up in the hands of bad actors as soon as have attempted to sign in.
Tip 1: Always pay attention to the URL. No matter how similar does the page look like, you need to be a little bit careful about the URL. In case the URL doesn’t seem genuine, you should refrain from opening it.
Tip 2: Enable two-factor authentication. All you need to do is go to Settings > Privacy and security > Security > Two-factor authentication. Enable it by choosing either text message (OTP) or authentication app method.