Recently, a fake Instagram email successfully bypassed Google’s email filters and made it into hundreds of employee inboxes used by a prominent US life insurance company based in New York.

This was revealed in a report by Armorblox, a cybersecurity company specializing in stopping business email compromise (BEC) campaigns. According to its threat research team, the spoofed email originated from “lnstagram Support” with the email address, membershipform@outlook.com.tr. The “l” you see in “Instagram” is actually a small letter “L”. It wouldn’t have been obvious—if not for Gmail automatically setting the first letter of a sender’s name in caps—as you can see from the screenshot below.

Clearly, threat actors have layered their campaign with a number of known fraud tactics, one of which is using a homoglyph (or homograph), making this a good example of a homograph attack, as well.

A homograph attack is a method of deception where threat actors take advantage of how certain character scripts look the same. In this case, a small “L” looks the same as a big “i”.

The fake “Instagram Support” email that appeared to have targeted employees of a New York-based insurance firm. (Source: Armorblox)

The initial scam email reads in full:

FROM: Lnstagram Support <membershipform@outlook.com.tr>
SUBJECT: Instagram Support
MESSAGE BODY:
You have been reported for sharing fake content in your membership. and approved by us.
You must Verify your membership. If You Can't Verify Within 24 Hours
Your membership will be permanently deleted from our servers.
You can continue by pressing the Verify button to verify your membership.

The phishing email tells the recipient that their Instagram account has been reported for spreading fake or false information, which nowadays is not unheard of and considered a serious breach of Instagram’s Terms of Service. The scammers then push the recipient to verify their “membership” within 24 hours else their Instagram account will be deleted. Incorporating a sense of urgency is a scam red flag because it aims to get users to act first and think later when it’s too late.

Clicking the verify button takes users to a Google’s Site page instead of the actual Instagram page—another red flag. Here, users are then asked for their credentials as a requirement for verification.

Clicking the Verify button here again directs users to the actual phishing page, as you can see below (Source: Armorblox)
Note that the rhetoric has now shifted from the victim being a fake news proponent to a copyright law-breaker. (Source: Armorblox)

The phishing site also offers up some fraudulent text that can make the whole process feel more official. The text from the phishing site is as follows:

We have received numerous complaints that you violated our copyright laws regarding your account. If you do not give us feedback, your account will be removed within 24 hours. If you think this is wrong, please verify your information below. We ask for this information because we cannot verify that you are the real owner of your account.

Be on the lookout, dear Reader, for this or similar campaigns that might land in your work inbox in the future. We always advise caution when dealing with emails—both unsolicited and claiming to have come internally—especially those that want something from you and pressures you to act quickly “or else”. If you have an email that you’re unsure if it’s a phish, ask your colleagues or contact the person who sent you the email via other means. Better safe than sorry, as they say, because one small slip-up is all it takes for an entire organization to get compromised. After all, big attacks do start small.

Stay safe!