‘Nasty List’ Instagram Phishing Scam

The latest phishing scam targeting Instagram users is harvesting login credentials. The messages claim that the recipient is on the ‘Nasty List’ and urge potential victims to navigate to view the page. A link attached to the message will redirect the user to a fake login page, in which credentials will be harvested if entered; thus, continuing to spread the ‘Nasty List’ scam. The linked page looks very similar to the Instagram login page, but the URL may be “nastylist-instapop50” or “TheNastyList_XX.” This scam is sent to all the followers of an already compromised account. Direct messages are also being sent via fraudulent account profiles. The NJCCIC strongly advises Instagram users to avoid clicking on any links sent in messages referring to the “Nasty List.” If a user has inadvertently navigated to this site and still has access to their account, verify that the account is linked to the correct phone number and email address, and then change the password immediately as well as any other accounts that utilized the same password. If a user has lost control of their account, report the incident to Instagram. Lastly, we recommend users enable multi-factor authentication (MFA) available for Instagram.