In recent times, there are several instances of fake Instagram accounts duping money from people. The fraudsters use a combination of age old social engineering and impersonation techniques to dupe money.
The impersonation part contains creating a fake social media account (especially Instagram now-a-days, because of the social media’s popularity) and trying to reach out to as many people as possible.
The social engineering part contains showing some sense of urgency after an initial ordinary looking conversation.
Here is a typical sequence of the multiple social media frauds that I witnessed in the recent times.
- Fraudster creates a social media account resembling a person with decent number of followers and follows.
- Fraudster picks profile picture from the original account
- Also uses majority of the profile details (profession, links, etc.) for the account, so that it looks legitimate
- The username is a slight variant of the original. Usually a digit or two added at the end of the profile or manage to make it look original by use of special characters
- Fraudster follows several people from the original account’s list
- Fraudster engages in conversation
- Usually the fraudster starts with general conversation like how things are, where you are, how busy the work is, etc. to earn some trust.
- Fraudster gives you some comfort level in conversation
- Fraudster creates sense of urgency regarding a financial matter
- e.g. I need to help someone with real emergency
- e.g. I maxed out on my daily limit, so I need your help
- Fraudster gives assurance
- e.g. I will give it to you tomorrow (or next working day) by 7am.
- Usually they pick a time so close to next day, so that there is a general sense of confidence that your money is going to be back within few hours.
- Fraudster sends payment/transfer link
The steps might slightly differ, but the modus operandi is almost about the same.
I have seen people falling prey to this type of attack, given the sense of urgency the fraudster can create and how casual the transaction looks like. I almost fell prey to one such thing, but I just called the person who is impersonated and it helped me avoid the money loss.
I also have seen I am being impersonated online. Albeit for a short time, they could create some reasonable inconvenience.
Here are the key things one can do to avoid falling prey to such situations.
- Follow only people who you know (even for people who you know online only, make sure that you observe them for some time before you follow them)
- Don’t blindly trust any newly created accounts
- Don’t always trust the accounts that come up in the top search results. Especially if they are new accounts
- Notify the person whose account activity looks suspicious. Especially if there are no (recent) posts, if they are new accounts or if their posts are unusual from what you know
- Never send any money without calling the person. Send only upon verification that you are talking to the right person
- Never click a link. If you know the other person’s details, directly doing financial transactions with the actual person you know would be better. Even then, make sure that the actual person has full access to the account
- If you have a common friend, alert them as well in situations when you are asked for money or asked to click links
- Report the account. More people report, more weight it would carry.
- Spread the word about the incident. Identify the potential victim groups and tell them what is happening.
By being aware, you may not completely avoid any novice techniques of the fraudsters, but for sure you will be in a position to minimise the impact.
Why this focus on Instagram? Similar things happened on WhatsApp also earlier. However, it is easy to see that the phone number in question is not related to the person you know.
With Instagram, the fraudsters are having a bit more flexibility in terms of reach out and attack vector dimension.
First Rule: Don’t send money. Unless you talk to the individual in person or over a trusted channel – e.g. video call. That helps verify the need and the beneficiary.
Second Rule: Never click a link from these social media conversations. Period.