Instagram’s ‘nasty list’ scam gives your details to hackers - here’s everything you need to know

If you believe your Instagram account may have been compromised, you should immediately change your password (Photo: Shutterstock)If you believe your Instagram account may have been compromised, you should immediately change your password (Photo: Shutterstock)
If you believe your Instagram account may have been compromised, you should immediately change your password (Photo: Shutterstock)

Instagram users are being warned about a new scam that encourages people to hand over their login details to crooks.

The so-called ‘Nasty List’ swindle is rapidly spreading across the popular photo sharing platform, fooling unwitting users.

Hide Ad
Hide Ad

The phishing scam lures people in by sending messages to users saying they have been spotted on the ‘Nasty List’.

Users are told they are on a ‘nasty list’

The Bleeping Computer security blog explains that the messages will say something like, “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up”.

The profile people are then directed to will be called ‘The Nasty List’, followed by a series of numbers.

The profile includes a link to a website and claims that it will let you see the list - but the list doesn’t really exist.

Hide Ad
Hide Ad

That landing page will take you to a legitimate-looking Instagram login page. But if users put in their details, they will not work. That page simply serves as a means for the scammers to collect the details.

Scam page looks like official login page

Cybersecurity firm Sophos has also put out a warning about the scam.

"Anyone entering their credentials will find themselves in a spot of trouble, starting with their entire base of followers receiving the same message telling them that they too are on the Nasty List – and so the social media phishing attack grows," Sophos explained.

"They’ll also potentially have handed control of their account to criminals to do whatever they want with."

Hide Ad
Hide Ad

An Instagram spokesperson told The Sun, "Fake and fraudulent activity is not allowed on Instagram.

"We proactively fight against this type of content and are always improving our systems to quickly detect and remove anything that violates our Community Guidelines."

How to avoid the scam

Here's official advice from cybersecurity firm Sophos:

“First, as long as you are sure you didn’t enter your credentials on the fake login page, you should be safe.

“If you did enter your credentials but are using two-factor authentication (2FA) via SMS or an authenticator app, you should be ok because it’s much more difficult for criminals to bypass that

Hide Ad
Hide Ad

“2FA can be set up on Instagram by going to your profile and selecting the hamburger icon. Then choose Settings > Privacy and security > Two-factor authentication and follow the instructions on the page

“If there’s a risk that your account has been compromised, you should immediately change your account password, turn on 2FA, and double check to make sure that the email address and phone number associated with the account haven’t been changed

“If you’ve used the same password for Instagram on other online accounts you should immediately change those too. And make the new passwords different for each account – password managers really help with this

"For more on locking down your Instagram account, read the Naked Security guide.”