What Is Instagram's Nasty List and What to Do If You're on It?

If you're told that you've ended up on Instagram's 'Nasty List', you'll likely want to know what the reason for this is. A 'Nasty List' sounds like a list of accounts that have done something wrong, so, especially if you're an avid user of the photo-sharing network, you'd be in a hurry to find out what's going on. Sadly, when people are in a hurry, they tend to overlook some rather important details. That's why the new Nasty List phishing scam works so well.

An "F" for grammar, and an "A+" for social engineering

As you might have guessed already, there is no such thing as a Nasty List on Instagram. The concept was invented by cybercriminals who have been running a phishing campaign for the last few days. Here's how it works.

You log in to Instagram, and you find a direct message from one of your friends who tells you that they've seen your username on Instagram's "Nasty List". It's fair to say that the person who wrote the message has skipped a few grammar classes at school, which could tip some users off. Unfortunately, many people clicked through and ended up giving away their usernames and passwords which means that they either can't tell the difference between "you're" and "your", or they just don't care.

The message includes a link to another Instagram profile which can supposedly help you check out this mysterious Nasty List. The account in question doesn't seem particularly active, and from a grammatical standpoint, the profile description is just as woeful as the direct message. There is a link, however, which will supposedly lead you to the aforementioned Nasty List.

If you click on it, you will be presented with a login page that asks you for your Instagram username and password. The login form is identical to what the real Instagram will show you if you're trying to sign into your account. The only thing giving it away is the URL which clearly doesn't belong to the social network. Fail to spot it, and your login credentials are going straight to the crooks who will then use them to log in to your account and send direct messages about Nasty Lists to your friends.

The scam has already been covered by quite a few outlets, including some mainstream media, but despite this, Reddit users say that they're still receiving direct messages about the Nasty List. It's difficult to say how active the campaign is, but the way it's propagating means that if the crooks pick up the pace, it could spread like wildfire.

Education is our main weapon in the war against phishers

As you can see, the Nasty List scam is a textbook example of a well socially-engineered phishing expedition. Nevertheless, people who have already fallen victims probably feel a bit silly at the moment. They realize that they should have checked whether Instagram really has a nasty list, and they know that they should have been a bit more suspicious of the grammatical errors and the URL they clicked on. They have learned their lesson, but unfortunately, they learned it after they gave their login credentials away.

That's the root of the problem. If they knew this beforehand, the Nasty List attack would have been a lot less successful. The criminals bank on people's lack of awareness, and the strategy is paying off handsomely.

If you're going to stay safe on the internet, you need to have your wits about you. You must know, for example, what sort of mechanisms your favorite social networks use to penalize people who don't behave. Although these mechanisms can change, there is usually something to indicate that there are a few newly added features, which means that before you click on something you don't recognize, you should double-check with Google to make sure that it exists. Last but not least, you must know that things aren't always what they seem on the internet. Often, a pinch of proverbial salt could mean the difference between retaining full control of your accounts and holding the door open for the cybercriminals.