Someone is pretending to be me online. They’re using my name, an article I wrote, and a fake email address to try and hack Instagram accounts. In the past month, I’ve received two emails from people that my impersonator was trying to scam.
Here’s what’s going on and what you can learn from it.
Last year I wrote an article called 11 Hilarious Instagram Accounts You Need to Follow Right Now. It wasn’t anything dramatic, just a list of 11 Instagram accounts I enjoyed and felt other people would too. I sent it to my editor and thought nothing more of it — this is a dance I do every day. The article ran and did pretty well. End of story, or so I thought.
Towards the end of September this year, I received an email from the people behind The Exquisite Lifestyle, a luxury lifestyle Instagram account with 223,000 followers. They’d received an email from someone claiming to be me which said:
They were certain it was a scam and were kindly letting us know that something was going on.
We talked it over among ourselves at MakeUseOf but came to the conclusion there wasn’t much we could do. We weren’t really sure what the scammers were trying to achieve. As a writer, I don’t normally get a lot of access to other people’s Instagram accounts! Bruce Epper, one of our security experts, contacted Google to try and get the email address shut down but nothing came of it. I put it to the back of my mind and went on with my life.
The Second Email
At the start of November I received an email from a second Instagram account. My impersonator had reached out to Clothes.Models, a fashion account with 131,000 followers, and spun them the same story. The only thing that changed was the name of the Instagram account in the email:
The people behind Clothes.Models, however, weren’t so quick to spot the scam. They wrote back saying they were interested in being featured. What happened next gave us a lot more insight into what was going on.
The scammers responded with an email that said:
This is important, and we’ll come back to it.
A few days later, the scammers sent another email:
The link takes you to a fake version of the Google sign in page. Plug in your account details, click sign in and you’re redirected to the real Gmail site. The only thing is, the scammers now have your login details.
Thankfully, the people behind Clothes.Models saw the scam and didn’t try to log in. Instead, they contacted me to check if everything was above board. It obviously wasn’t, which is why I’m writing this article.
So What’s Going On?
Let’s break it down:
- A scammer, pretending to be me, contacts a big Instagram account and claims they want to feature them in an article.
- When they respond, they ask for a contact number.
- Finally, they claim the article is ready and send the account holders a “Google Docs” link with a draft for them to “approve”.
Although this, superficially, appears to be okay, there are some major red flags. By the end of the process, the scammers have total control over your Gmail account and all the details they need to do a password reset on your Instagram account. They’ve also got enough information to potentially beat two-factor authentication.
That’s a really bad situation to be in.
The Red Flags
Thankfully both Instagram accounts who contacted me caught on to the scam before it was too late. There were some big warning signs in all the emails so let’s go through them
First, writers like me don’t need your permission or approval to write about you. As long as what we say is true, we’re protected by freedom of speech laws in most countries in the world. This is especially true of an article called, “Top 15 Instagram Accounts Everybody Should Be Following”. If it’s going to be nothing but positive promotion, then there is no way a writer is going to reach out for your approval. I didn’t contact any of the accounts in the 11 funny Instagram account articles; I just wrote about them.
Second, big sites like MakeUseOf don’t use generic Gmail addresses. Each of our writers has their own AuthorName@MakeUseOf.com email that they’ll contact you through. To find any author’s email, check out their author page (here’s mine).
Third, basic list articles don’t pay enough for writers to spend time reaching out to every site individually, especially over the phone. It’s a good way to make money online, but you have to do quite a lot of writing. If I’m conducting a big interview or an investigative piece, it’s different. But for a list of 15 Instagram accounts, there is no way a writer is going to need your phone number.
Fourth, while in exceptional cases I might show someone a draft for approval, it certainly won’t be an editable Google Doc. You might get asked to fact check a draft, or make sure that your views are accurately represented, if I interview you but you won’t be able to add “anything you would like”.
Fifth, any link to a Google sign-in page that doesn’t take you to one of Google’s websites is fake. Never, ever enter your details. It’s also worth checking to see if the site has an SSL certificate. The fake sign in page the scammers used didn’t have one which was another big clue that something was off.
Staying Safe Online
There’s a growing industry in stealing big social media accounts. They’re worth real money. If you run one, be very careful with your contact details. Even regular users sometimes have their accounts hacked.
Staying safe online isn’t complex: you just need to be aware of what you’re doing. If something seems too good to be true, it probably is. If you’re picking up red flags from someone, there is a reasonable chance they are trying to scam you. The emails the scammers sent had plenty of big signs that something was amiss. Look out for things like these, and if you feel uncomfortable, cut off all contact.
This was a targeted spear phishing attack so not everyone is likely to be the victim of something similar, but the lessons are universal.
Being impersonated online is really weird. I’m still not sure how I feel. If you’ve ever been affected by an attack like this, please let us know in the comments. We’d love to hear your story.