CDC pushes masks indoors again Activision Blizzard lawsuit Simone Biles pulls out of second event Hidden Amazon perks 4 million unemployment refunds coming

Beware verification scams on Instagram, Facebook and Twitter: 'Red flags going off'

Think twice if someone promises to get your account verified for a price.

Listen
- 09:58
gettyimages-956851442

Scammers and hackers are trying to lure social media users who want to get verified into handing over their personal information.

Getty Images

Enver Ceylan presents himself online as a Renaissance man.

He's a Turkish social media consultant, musician and actor who's "played the lead role in many TV series and movies," according to his website. Among his digital services: helping Facebook and Instagram users with advertising issues and growing their accounts. One version of his website prominently displayed a form that asked TikTok users to fill out personal information to get their account verified, a status usually reserved for notable figures.

"Your account has been followed for 30 days, and it has been determined that you are eligible to receive the TikTok Blue Badge," his site stated in English on June 9. A form under TikTok's logo, an animated musical note, asked for a user's password, address and phone number.

If Ceylan's promises seem too good to be true, that's because they likely are. Ceylan's form vanished shortly after CNET entered information to test it. Most of the site then went blank before reappearing entirely in Turkish. (TikTok confirmed the form wasn't legitimate.)

screen-shot-2021-06-09-at-3-05-24-pm.png

A form appearing on Enver Ceylan's website tells TikTok users they're eligible for verification and asks for personal information.

Screenshot by Queenie Wong/CNET

Almost every major platform offers verification in some form. Originally intended to authenticate accounts deemed to be of public interest, the badges have morphed into status symbols that give social media users bragging rights. That's provided ample opportunity for scammers, who manipulate the emotions of aspiring but unsuspecting users pursuing careers as influencers or creators. 

Directing social media users to fake verification forms, as Ceylan appears to have tried, is a tactic used to dupe people out of personal information and take over their accounts. Scammers will also slide into direct messages on Instagram and entice users with promises of verification. Variations of this scam have existed for years, but cybersecurity experts say they expect this scam to grow as people spend more time building their brand on social media.

Likewise, people who are verified typically have a large following, which can make them prime targets for scammers or hackers trying to reach a lot of people. In 2020, hackers hijacked the accounts of high-profile Twitter users such as celebrity Kim Kardashian and Joe Biden, who was running for US president at the time, and tempted gullible users with a phony promise to double any bitcoin sent to a specific cryptocurrency wallet.

Announcing that you just got verified on social media can also make you a target if you're looking to get the blue badge on other social networks or if a hacker is trying to find an account with a large following.

Jon Clay, vice president of threat intelligence at Trend Micro, said the IT security company has seen verification scams in roughly 70 countries. "It's just a lure that gives the criminals an opportunity to target these victims," Clay said. 

A social media user, who asked to remain anonymous out of fear of retaliation, told CNET that Ceylan presented a convincing pitch when he said he could get the person's Instagram account verified. At his request, the person provided him with a photo while holding an ID (though its number was obscured). After that, Ceylan appeared to use the photo to get the person's social media accounts taken down for impersonation.

"The realistic part of me was like, 'don't fall for this scam,' but then he started sending all these videos and photos of him being able to do it," the person said in an interview. "All these little red flags were going off in my brain, but I was super excited. I wasn't thinking clearly." 

Twitter said the user's account was suspended for impersonation but determined after further review it had been hacked. Instagram said it was securing the account. The company also pulled down Ceylan's own account, though a new one soon popped up and is still online. 

CNET, which is owned by Red Ventures, reached out to Ceylan and asked him about his work as a social media specialist. "I would like to help you with what you need help with," his email response said, followed by a link. Red Venture's IT department said the link appeared to be a phishing attempt, noting a security vendor had flagged it as malicious. CNET was advised to avoid further contact with Ceylan.

An ongoing problem

Scammers have also taken advantage of the coronavirus pandemic to trick people into believing they can get verified. In an Instagram direct message, an account called ig.verificationbadgeservice tried to lure users with the false claim that blue badge applications were being taken through an online form rather than directly on Instagram because of the pandemic. The account is no longer on Instagram.

The Federal Trade Commission warns that scams of all types on Facebook, Instagram and other social media sites have jumped during the pandemic. Reported losses from social media scams in the first six months of 2020 reached nearly $117 million, almost as much as the $134 million reported for all of 2019. Verification scams make up a part of that total, although it's unclear how large its slice is.  

screen-shot-2021-06-08-at-5-09-48-pm.png

Some Instagram accounts are offering verification for a fee. 

Screenshot by Queenie Wong/CNET

Some Instagram accounts run by people who claim to be social media consultants promise verification for fees of $1,000 or more. 

One account, marion_digital, offered verification and 100,000 followers for $2,200. In a direct message on Instagram, the account holder told CNET it can't guarantee account verification but will write articles and marketing material on behalf of a client. Marion_digital then sends "pictures of those articles to instagram and then they decide to allow the verification mark or not."

The account declined to answer questions about where the articles appear or if they've ever gotten anyone verified through this process. The account holder, who identifies themself as a social media consultant and marketing manager, said it only helps to verify business pages. The user didn't respond when asked why it uses a photo of Trayvon Martin, a Black teenager whose death in 2012 sparked nationwide protests, as their Instagram profile picture. 

A spokesperson for Facebook, which owns Instagram, said selling or buying verification is against the social network's rules.

"If we detect that verification was acquired in a malicious way, or that an individual is selling verified accounts to others we will take action that could lead to permanent removal from Instagram," a Facebook spokesperson said in a statement, noting it conducts "regular sweeps both on and off the platform to remove malicious actors from Instagram."  

Omar Bham, a 32-year-old cryptocurrency blogger in Las Vegas, has received direct messages from Instagram accounts claiming they can get him verified on the photo-sharing service. Bham said he's been trying to get verified on Instagram and other sites because a "crazy amount" of people are trying to impersonate him through fake social media accounts.

One account, elisasupporteam, asked him in a message to verify that he owns an account so that it could secure him a blue check mark. He reported elisasupporteam to Instagram because he suspected it was a scam. The account is no longer available.

Instagram has said it doesn't direct message users for personal details, such as passwords, but there is a section within the app called "emails from Instagram." On Tuesday, the company launched a new security checkup feature and shared tips that outlined how users can keep their accounts safe.

People might fall prey to direct messages promising verification because a black market for Instagram badges reportedly have developed outside of the service. In a direct message seen by CNET, a verified Instagram user with the name Youssef tells Bham he can get him verified or provide "pre-made verified accounts." A Facebook spokesperson said the company regularly un-verifies compromised accounts including on Instagram that are being used for scams.

Some accounts claim to have helped other users get verified, pointing to their blue check marks as evidence of success. The profile of an Instagram account called verify_account_569 says blue check marks can be had for a "cheap price." 

In an Instagram story -- a disappearing post on the photo-sharing service -- verify_account_569 said it had gotten a blue checkmark for David Slotnick, a reporter at The Points Guy. It posted a photo of Slotnick's verified account as proof. 

Slotnick says he was verified in March through his employer but started getting messages from strangers asking how to get the blue check mark around the time the Instagram story with the false information was posted. (The Points Guy is also owned by Red Ventures.)

CNET messaged verify_account_569, but the account doesn't accept new message requests from people it doesn't follow. Slotnick said he reported the account and story to Instagram but didn't receive a response. The account is still up. 

Red flags

CNET showed the TikTok verification form that appeared on Ceylan's site to web security researcher Luke Leal, who works at GoDaddy. Leal said the form looks like it was built to phish for TikTok account login information. Ceylan could have also cloaked the website so the form only appeared once, he said.

screen-shot-2021-04-21-at-4-29-11-pm.png

In April, Ceylan's Twitter account morphed into a different identity, but there were still hints that the user had changed personas. 

Screenshot by Queenie Wong/CNET

In addition to the form, other signs point to Ceylan using internet sites and social networks to bolster what appears to be a fake persona. The site's source code shows that Ceylan copied his webpage from a website using HTTrack, a service Leal said is commonly used by phishers to download websites. 

On Google-owned YouTube and Spotify, where Ceylan is a verified artist, he posts songs with titles such as Death, Satan and King. The songs appear to be produced by other artists and passed off as his own. Ceylan's songs Dead and Death are identical to the hip hop beats Mania and Septic by MTC Beatz but were posted 22 days later. Ceylan's Satan, released in December, is a clone of the beat For Real posted by AngelLaCiencia Beats in November.

MTC Beatz was unaware of whether Ceylan had leased the beat, a form of renting music for a period of time, but said he was reporting the video to YouTube. AngelLaCiencia Beats didn't respond to a request for comment.

On IMDb, Ceylan says he starred in 48 TV series and movies, including a role as a police officer in the Turkish thriller series Fatma that is available on Netflix. When asked if Ceylan appeared in the series, Fatma producer Barış Abacıgil said in an email it was "false information."

At one point, the handle on Ceylan's Twitter account was changed to a female persona Nurdan Yilmaz, though remnants of his identity remained in its tweets. In one tweet, Yilmaz shared a link about Ceylan. The Twitter account then morphed back to Ceylan's identity.

On his website, Ceylan displays photos of people reviewing his services. The photos, however, appear to be stock photos, suggesting the testimonials may have been faked. 

"I can set up a high-follower instagram account for you. I can enlarge your Instagram, Facebook, YouTube account," the site said, according to Google Translate. "I can keep your accounts safe."