When you go fishing, you put bait on the hook, right? You choose that bait – and the water you drop it into – based on the kind of fish you are hoping to catch. The same is true when you are the fish (phish) and scammers are choosing a bait to put on their hook to catch you.
You might not think of yourself as the kind of fish that’s likely to get caught. You are too smart to fall for romance scams, tech support scams, or that Nigerian letter thing. You are tech-savvy, a social media influencer, and a digital native.
But if you swim in the waters of the internet, you are a phish and there is a scammer out there baiting a hook designed for you.
What would you pay, to have your Instagram, Twitter, or Facebook account verified? It would give legitimacy to your brand, bring in money, and it’s hard to get. What if it wasn’t very expensive to get that blue checkmark on your Twitter account or that blue badge on Instagram? How about if you didn’t have to pay anything and it was just a matter of filling out a form?
Are you tempted? We just found the bait that phishers will use to catch you.
“Social media verification scams are going to trick more people, percentage-wise, than the average phish,” explains Roger Grimes, data-driven defense evangelist at security training firm KnowBe4. “And they will get more information. We are a social media culture. It’s our life. And to get even associated as an “official” influencer or seen as a verified account is an achievement wanted by a large percentage of the world. It’s the rock star of the digital world. Who doesn’t want to be a rock star?”
Chances are, though, that you won’t end up a rock star. It’s much more likely that you will lose control of your social media account and perhaps, even, your own identity.
That’s what happened to one social media influencer who bit on this hook, as reported by CNET. TikTok users got a message from a scammer that read, “you are eligible to receive the TikTok Blue badge.” Users who were interested were directed to a form that looked like a TiKTok page. A big button read, Apply Now, and appeared to be the beginning of the verification process. But it led, instead, to a website that was set up to capture the information typed into it. The form asked for an email address and password, which was emailed to a scammer who now had access to that TikTok account. All the scammer had to do is quickly change the password to lock the victims out of their own accounts and use if for their own “influence.”
The trigger to scammers to target you is the only flattery you are likely to get out of this scam. They chose you because you either recently announced that you were verified on another social media site, (congratulations!) or because you have an online following that’s large enough to warrant this particular kind of scammers’ attention. You are a big fish. But this scam is hoping to catch you – to use your identity or steal money from you – not to verify your social media account.
A similar scam on Instagram led people to a page that looked like an application to get your account verified. But when you tapped the Apply Now button, it took victims to a fake page that asked them to log in, in order to collect their personal information and passwords. (You can see that it’s not a legitimate Instagram account in the above screenshot because of the URL, which has Instagram in it but is not the Instagram.com domain.) Again, this gave the scammer access to the victim’s social media account. Once the scammers have that data, they can use it to lure other victims or sell it on the dark web so that identity thieves can use it to get credit cards, utilities, or health insurance in your name.
Even if you see a friend or famous person recommending a service that gets your social media account verified, don’t fall for it. If scammers have access to an influencer’s account, using it to bait a lot more hooks and catch bigger and better phish is exactly what they would use it for.