Phishing Campaign Promises Instagram Account Verification to Users

By Bill Toulas / June 27, 2019

Sucuri reports that phishing scammers have found a new way to trick potential victims into giving away their Instagram account login credentials, and that is through the promise to give them a “verified” status. Verified accounts on Instagram or Twitter have a blue check-mark right next to the name, indicating that the account is authentic, complete, meets the required level of public interest, and is unique in the sense that the only representation of a brand or person in the particular social media platform. An example of this is given below, with the Adidas account on Instagram.

adidas instagram page

image source:

Brands have a clear reason to get verified on Instagram, but individuals do it too. Getting verified adds credibility to one’s account, and also enables monetization. This means that influencers or at least aspiring influencers need to go through the verification process, and 1% of Instagram’s total user base has. Many of those who try though is not approved by the platform, so their verification application is rejected. These users are then looking for alternative ways of getting the blue badge, and this is where the crooks come into play.

The phishing actors are using the domain “” which is not in any way connected or affiliated to the real Instagram platform. On the domain, victims are urged to fill out various forms, supposedly for the confirmation of their account, and even the confirmation of their email accounts. Having everything in their hands, the actors can try to get past the “Suspicious Login Attempt” algorithms that Instagram has in place, and the access to the email account of the victim is key on that part. If Instagram detects that something wrong is going on with the particular login attempt, the actors reset and verify the ownership of the account via email.

Those who fall, victims of these campaigns, are simply not careful enough. The domain name is not “”, so this should be an obvious sign of phishery. Moreover, there’s no “https” meaning that there is no SSL certification to affirm the secure connection. Finally, getting asked for your email account and password should be a clear sign that you are getting tricked, although Facebook has done this in the past. Our advice is to stay calm, carefully look for signs of trickery everywhere, and take your time to evaluate where you are and what you are asked for when you are met with login forms.

Have something to say on the above? Let us know of your comments in the section beneath, or on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: