There are only two certainties in life: people love coffee, and people love Instagram. The two are a match made in heaven. Enter the Instagram scam.
The subculture of amateur coffee photographers has spawned an unbelievable volume of PSL (Pumpkin Spice Latte) close-ups overlaid with Instagram’s “Hefe,” “Earlybird” or “Nashville” filters. The official Starbucks Instagram account boasts three and half million followers and is tagged in countless photos. It’s a massive hub of slow-roasted, slow-drip, chai-mocha glam-shots jockeying for likes. Believe it or not, the question “which filter do you like?” used to refer to brewing coffee, not glorifying it.
Instagram, as lighthearted and innocuous as it may seem, is the ideal spot for hackers to brew a user-targeted scam. Crafty cybercriminals, well aware of Instagram’s coffee fetishization, lure users by impersonating coffee shops’ brand. The fake account @theofficialstarbuckscoffee has thousands of followers and is filled with pictures lifted from the legitimate Starbucks profile (@starbucks). The account description reads, “First 35,000 Followers Will Deserve $35 Gift Card! We’ll Dm You The Information! Expected For At Least 2-3 Days Tag Us In Order To Get Your Gift.” ZeroFOX’s burner account, Barista Frank, is still waiting on his gift card.
Starbucks alone has hundreds of impersonators accounts on Instagram, all offering gift cards to the first several thousand followers. Starbucks is not the only victim – Instagram is littered with fake accounts for Tim Hortons, Dunkin Donuts and more. It’s unclear if these fake accounts are part of a botnet, individual scams or operated by a single hacker. The accounts often link to other fake accounts, encouraging users to connect to more Instagram scam profiles. For example, the not-so-official Starbucks account links to @wespeakfutbol, a scam targeting FIFA fans.
This type of account can be used for a host of malicious purposes. It’s possible the account is distributing malware or phishing links via direct message. Once a user has followed the fake account, it sends a malicious link disguised as a redeemable discount code. Users will either unwittingly download a virus or be prompted to disclose account credentials and personal information. Because Instagram is a relatively new social media platform and hasn’t made headlines for cybercrime, users are especially unsuspecting.
Most likely, these profiles are used for “account flipping.” Account flipping entails building up social media accounts with as many followers as possible and subsequently selling the credentials. Another strategy is to charge internet marketers to have a message blasted out from the accounts. For instance, Fiverr, a website where you can post small jobs for $5, has an entire section for social marketing. Users can pay to have their message posted from an account with hundred or thousands of followers. Ever notice a group you follow on Facebook start posting irrelevant advertisements? The account has either been “flipped,” or the owner of the account is being paid to disseminate someone else’s content.
What is the impact for the coffee shops? Primarily, the cost is traffic hijacking. Starbucks is losing tens of thousands of followers who would otherwise receive the advertising and messaging Starbucks spends millions of dollars to produce. Depending on how malicious the accounts turn out to be (between actively disseminating malware or just passively gathering followers) Starbucks could also face damage to customer loyalty and brand reputation.
Instagram is rapidly joining its social media contemporaries, like Facebook and Twitter, as the new playground for cybercriminals. Starbucks is not the only victim. Everything from airlines to restaurants to clothing retailers is vulnerable on social media. Learning to spot scams when engaging on social media can prevent costly consequences. Consumers and brands, don’t get roasted by an Instagram scam!