Scammers on popular photo-sharing platform Instagram are targeting thousands of followers of major financial institutions in an effort to extort victims into handing over money or disclosing personal banking information, new research has found. A report released by social media security firm ZeroFox titled "Post Grams Not Scams" has found over 4,000 unique instances of money flipping scams on the platform spread across more than 1,300 different Instagram accounts since 2013.
Using an in-house machine-learning classifier designed to analyse Instagram scam posts related to 37 of the biggest US financial institutions, ZeroFox researchers went into more than two million public Instagram posts from the last two years over a recent four-month period. The researchers identified thousands of money flipping scam posts created to lure users into sending money, particularly targeting the poor and members of the military.
"The rise of social networking has created an unprecedented platform for the average Jane or Joe to engage and interact on a global scale," the report reads. "There is, unfortunately, a darker side to this evolution. As more and more people become connected on social platforms, cyber criminals find themselves with more numerous and accessible potential targets than ever before.
"Social media's inherent trust, ease of use, scale and anonymity render it the ideal platform for cyber criminals and scammers."
The machine learning algorithm scanned through descriptions for key words such as "money" and photos for bank logos, receipts, people posing with money or bundles of cash. Detecting scams with over 98% accuracy, the algorithm found that hashtags were often a strong indicator of a scam account.
Researchers found that three scam posts are created on Instagram for every one scam post taken down on the platform. These scam posts, around 80% of which have life spans of over 45 days, affect almost all financial institutions and banks, causing them losses of hundreds of millions of dollars every year. The researchers estimate that the Instagram scam posts cost banks an estimated $420m globally over one year.
"The scammers use Instagram to advertise their services with pictures of money, luxury goods and drugs as well as hijacking bank hashtags to target banks' consumers," the report reads. "At the end of the day, the banks often eat the cost, resulting in a considerable financial loss for both consumers and banks alike."
The team also interacted directly with scammers using a honey-pot Instagram account to observe and understand their tactics. After following a few banks with a fake account, the researchers were soon followed by 23 scam accounts, one of which sent them a direct message asking them to send the scammer a physical bank card and a PIN.
Facebook's security spokeswoman Melanie Ensign told the BBC that scams are "pretty low volume" on Instagram, which hadn't seen ZeroFox's report ahead of its publication. However, she said the company would be reviewing the report's claims and recommendations.
"Generally speaking, it's easy for security firms do a one-off analysis and build a model to catch a specific kind of abuse," Ensign said. "The challenge is doing it in a robust way so that it still works after bad actors change their approach a few times - and it's almost impossible for external parties to prove their approach is this robust."
Noting that this systematic abuse in the form of money flipping scams is not restricted to Instagram, ZeroFox recommends that affected organisations need to take an automated, data-driven approach to identify and address social media threats such as these.
"Based on historical scam analyses, it is reasonable to conclude that there are no serious efforts being taken to systematically remediate scams," the report reads. "That scams are created at an estimated 3x higher rate than they are taken down on a daily basis underscores the problem is not going away anytime soon."