What Is Instagram's 'Hotlist' Scam and What to Do If You Fall into Its Trap

It's fair to say that Facebook isn't enjoying its best days at the moment. It recently became apparent that thanks to the last year's Cambridge Analytica scandal, Mark Zuckerberg's social media empire could be looking at as much as $5 billion in fines from the Federal Trade Commission. Last month, it received a flurry of criticism after it admitted that some users' passwords were stored in plain text. To make matters worse, the social network got its initial calculations wrong. First, it said that most of the affected individuals were Facebook users, with only a few of them from Instagram. A couple of days ago, however, the company admitted that the number of affected photo-sharing enthusiasts is in the 'millions'.

The social network giant received some well-deserved criticism for requesting email passwords from users as well, and as if that wasn't enough, it now has to fight a few phishing campaigns on its platforms. The credential harvesting attacks on Instagram appear to be particularly active.

The “Hotlist” scam

We're not talking about the most sophisticated scam the world has ever seen, but while it's still not known how many people have fallen for it, it's not difficult to see how it could very well work with many users. Here's how it works.

You log in to your Instagram account, and you see that you've received a direct message from one of your friends. It goes like this:

"[YOUR NAME] I just saw a few of your photos on the @The_HotList_95 and they are already upvoted to #26!"

Curious, you click on the @The_HotList_95 profile to see what's going on and you end up looking at an Instagram account that hasn't posted anything. The profile description reads "Check out what position you're in!", and under it, you have a link. You think that by clicking on the link, you will get to see how high on the "Hotlist" you rank, but, in reality, you are asked for your Instagram username and password.

Those of you who have been on the internet for long enough have probably figured out what's going on by now. Those who don't will enter their login credentials into the username and password fields and will inadvertently send them to the crooks who will then use the hijacked profiles to fling the same direct messages to other people and further spread the scam.

The phishing page is convincing enough, it must be said, but more observant users should have little problem figuring out that there's something wrong. All they need to do is look at the URL which obviously doesn't belong to Instagram.

Far from the peak of originality

The URL in question is now inactive, and the @The_HotList_95 account has also been taken down, but there's a high possibility that the scam is working which means that we might see similar links and profiles in the near future. Indeed, we won't be surprised at all if the phishing campaign succeeds in harvesting a large number of passwords because we've already seen it in action.

Not more than two weeks ago, a very similar "Nasty List" scam was doing the rounds. The only difference is that, as the name suggests, back then, victims were supposedly put on a "nasty list", not a "hot" one, and that the grammar of the direct messages and descriptions was poorer.

These two scams seem to be about as simple as they get, but at the same time, they appear to be rather successful because they take a very carefully placed jab at human psychology. The phishers know that Instagram users are interested in what other people think about them and that they are likely to click on links that will give them this sort of information. The "Nasty" and "Hot" lists just accelerate the process because they imply that someone either likes or dislikes the victim.

What do you do if you fall victim to the “Hotlist” phishing scam?

It's still unknown whether the crooks use an automated script to send the malicious messages once they break into your account, but regardless of this, if you do send the phishers your login credentials, you must act quickly. Make sure you reset your Instagram password immediately and enable two-factor authentication from the settings of your account. If you don't manage to do it in time, the crooks might be able to change your password and lock you out. If this happens, contact Instagram directly and ask for further instructions. The sooner you regain access to your account, the smaller the number of people who are likely to be affected. When your Instagram profile is back under your control, think about whether you've reused the same password for other accounts, and if you have, change it as quickly as possible. This would also be a good time to think about what you can do to eliminate password reuse.