Skip to Content
Security & privacy

Don’t fall for this nasty Instagram phishing attack

Are you on the “Nasty List?” Despite what you might be thinking, Santa Claus has nothing to do with it.

A new phishing attack is growing on Instagram that targets users with bogus messages. Victims get a message from a follower, potentially even someone they trust, saying they’ve been added to a seedy “list” on another website. The only way you can see the list, though, is to log in with your Instagram username and password.

If this sounds fishy to you, you’re right on the money. Yet thousands of people have fallen victim to this nasty scam. What is this new phishing scheme on Instagram, and how can we protect ourselves from this and other shady attacks?

Don’t find yourself on this “messed up” Instagram list

Over a week-long period, Instagram users have been getting randomly timed messages from followers that all share something in common. All of them contain a canned sentence, each one similar but with slight variations in username and placement:

OMG your actually on here, @TheNastyList_xx, your number is 15! its really messed up.

Despite the obvious spelling and grammar errors, many people have already fallen for the ruse.

The fact that the message comes from Instagram followers is critical to how it spreads. When you follow the message to the Nasty List profile, you’re invited to click the link in the profile’s header and sign in to your Instagram account to view the full list. Like with any phishing scheme, this is a fake login, but this one not only compromises your profile but also accesses your following list.

This process turns your account into a kind of “zombie profile,” which the hackers use to spread the message to other people you follow.

Viral phishing attack

Masquerading as a user’s follower is key to the scheme’s effectiveness. Anyone who’s been affected by the attack is capable of spreading the fake messages, including to other people who trust them or may know them in person. A link from an anonymous stranger is always suspect, but a link from a friend or parent seems a lot more legitimate to click on.

That familiarity is what the hackers are relying on to capture as many profiles as possible. If your info is compromised, the cybercriminals behind the attack will have access to your photos, draft posts, and even private messages.

How to protect yourself from The Nasty List

If you followed the spoof link from the fake profiles, the hackers already likely have your information. Changing your password won’t be enough. You’ll need to enable two-factor authentication (2FA) to verify who you are when you log back in.

If you didn’t click the link or just want to protect yourself, setting up 2FA is a recommended precaution as well. Tap or click here to learn more about 2FA.

To set up 2FA, you’ll want to go to your profile and click on the icon with three horizontal lines (also known as the “hamburger icon.”) Then, select Settings > Privacy and security > Two-factor authentication. The screen that appears will guide you through the next steps.

Two-factor authentication works by requiring you to enter a code that comes through via text message. This helps to make sure you’re the person you say you are by harnessing your personal device that nobody else would have access to.

If you use the same password as your Instagram account on other sites, you will want to change those passwords as well — and don’t forget to check if those platforms offer 2FA. Click here if you need help coming up with strong passwords.

Going forward, 2FA will become a mandatory security feature on many websites. Learning to adopt it early is a step towards a safer, more secure internet experience.

Tech smarts in 2 minutes a day

Get my Daily Tech Update and the Digital Life Hack. Just one minute each and arm you with the tech knowledge you need to impress your boss and friends with how smart you are.