Bogus Instagram account using my email, never been verified, has over 1000 followers

Question

This appears to be a phishing scam like I've never encountered before.

I received an email from security@mail.instagram.com to an email address I rarely use, but I noticed it because messages get forwarded to my main email address. The subject is: New login to Instagram from Instagram app on Apple iPhone.

Well, that wasn't me. I haven't used Instagram in ages, and never did I use it with the email address in question. I take a closer look. It's not my Instagram account, but the email shows a username that is my real name with extra characters. I don't live in San Francisco where the login supposedly occurred, and I definitely didn't set up this account. Someone got my real name from that email address I seldom use and has set up an imposter account.

There are several other messages from security@mail.instagram.com in the inbox of this rarely used email address with the subject Verify Your Account and those too seem authentic, although I suppose the domain could be spoofed (not a subject I know much about). If these are phony email messages, they're unusual phonies, because all the links (for password reset, etc) point to https://instagram.com URLs. I found it alarming that the one email appears to confirm a successful login to this imposter account that I never verified.

It gets stranger. I decide to take a look at this user, this imposter me's Instagram profile page (https://www.instagram.com/username). They have:

0 posts
over 1000 followers
several hundred 'followed'
profile picture blacked out

This is an actual live Instagram account, no doubt about it.

One link in the email is: Not your account? Remove your email from this account.

Actually the full URL is longer, followed by a string of about 80 more characters after report_wrong_email/. I will not post that part because I don't know whether or not it could help a scammer uniquely identify me.

After checking that the domain was https://instagram.com/ I followed that one link in an attempt to remove my email from the imposter account. It led to Instagram's site, just not a valid page.

The shortened URL from the link above (https://instagram.com/accounts/remove/report_wrong_email/) led me to a page looking like this:

The full URL led me to a page looking like this:

This page just by itself is weird, having both a Log Out link and a Log In link shown simultaneously on different parts of the page. It's part of Instagram's official site though. Highly suspicious for such an important link to be broken, pointing to the email being a fake.

This definitely smells of a scam, but I can't figure out how the scam is supposed to work or how worried I should be. I have already reset the password on the email address the messages were sent to. What's the best way to handle this? I could try to reset the fraudulent Instagram account password, reclaim the account, and shut it down, but maybe that's exactly what the scammer wants me to try if it's a phishing thing. And what's with all the followers? Instagram's Help Center is pretty useless, with apparently no way to report account fraud to a human being.

My initial thinking is that it's some part of a bot network used to get people followers. The rest of the bots follow the account making it look "legit" and the bot follows a bunch of the bots and some accounts that paid for follower boosting. By using your valid email they're probably trying to avoid detection from Instagram's filters. Maybe they scraped your email and name off of a site like LinkedIn? I haven't checked but I don't think Instagram requires an email verification before you can use the account so its possible the attacker doesn't have access to your email — trallgorm, May 08 '19 at 17:56
Say you forgot the password, so you will receive a reset link. Reset the password, delete the account. — ThoriumBR, May 08 '19 at 18:00
@trallgorm I think you're exactly right. I don't know where they got my email address though. And I believe my email account has *not* been compromised, so that's a relief. I took ThoriumBR's advice - reset and delete. Once I logged in I could see the content it was following was just terrible junk. What a waste of time, all because Instagram doesn't require email verification before using their service. The "Remove your email" link being broken added suspicion too. It could have been worse though. Anyone care to post as an answer so I can accept it and close this case? — Encryptard, May 08 '19 at 18:43

score 3 · Accepted Answer · answered May 08 '19 at 19:02

3

Usually bots create Instagram accounts to sell likes and followers. If your email is used for this account, use the Forgot Password functionality to receive a reset password link, reset it, and delete the account.

Or take over it and repurpose it. But I don't believe your 1000 bot-followers would be interested on your legit content...

answered May 08 '19 at 19:02

ThoriumBR

50,648
13
127
142

Wonder what the legality of taking it over is. It's probably a gray area but if this was a legitimate account that used your email mistakenly taking it over would probably be illegal. – trallgorm May 09 '19 at 14:21
Shutting down the account makes possible to the mistake to be corrected. The previous owner just have to create another account and notify the previous followers. – ThoriumBR May 09 '19 at 15:58
Hypothetically if the account was huge (with millions of followers) deleting the account and trying to get people to follow a new account could potentially cause millions of dollars in damages. If it was a personal account then it could delete some connections irreversibly as they dont have another channel to find the person. I don't think this would apply in this case but at least in some cases I think a judge would consider deleting the account illegal – trallgorm May 09 '19 at 17:54
1

@trallgorm That's the last thing we need - scammers impersonating others, then attempting to sue when the victim rightfully claims and closes the account. A judge would have to be insane to rule in the scammer's favor though, especially if the account was never verified as theirs. – Encryptard May 10 '19 at 12:50
If there's a site that allows adding email address without verification and someone uses my address, I usually reset the password and replace my address with their support email address, in hope it teaches them a lesson. – Esa Jokinen May 10 '19 at 13:05
I just got a similar email. The fake account uploads stuff about my hometown and even avatar is my favorite food...Have to give credit to the bot network. However, when I tried to reset its password, Ins told me that they can't because the email address is invalid. So I guess the bot network got smarter, they probably setup the account using my email and then delete it to avoid being reclaimed by me. Somehow Ins' security system still have the email and hence alert me about a remote login – Skywalker326 Jul 18 '20 at 03:30

Bogus Instagram account using my email, never been verified, has over 1000 followers

1 Answers1