On Instagram, little thugs go through hacked accounts to trap their victims. Thanks to the identity of your friends, they pretend to need help to unlock their phone, when in reality, they are validating bank transactions.
On July 25, Jérémy * writes to Numerama in a panic: he is afraid of having been hacked. Eight days earlier, a friend contacted him on Instagram with a strange request. His phone is allegedly blocked, and he needs someone to receive the codes to reactivate him.
” I was suspicious at first but figured he was a friend and I could trust him », Remembers Jérémy. In the following minutes, the young man followed to the letter the indications given by his ” mate ” written. Then our interlocutor is ” move on Though surprised at the relatively abrupt end of the conversation.
A week later, while browsing Instagram, he came across a story posted by another acquaintance: “ He advised us to pay attention to a certain message, and it turns out that this message is exactly the same that my friend sent me … »Worried, Jérémy has the right instinct to activate double authentication on all his important accounts. But he does not know the extent of the damage, and wonders if he risks a SIM swapping.
” I was too naive and I regret it, I’m really scared “, He confided to Numerama, before sending screenshots of the conversation. He told us that he had not noticed any suspicious activity on his social networks or on his bank account. And for good reason: the manipulation of which he is the victim ‘only’ made him validate transactions invoiced on his telephone plan. The trick he is the victim of is in reality only a new version of a scenario already exploited in the 2000s. In the end, he gets away with less trouble, with a little less than 72 euros of surcharge. adjust.
When the scam comes from someone you trust
The scam suffered by Jérémy does not require any technical skills. In the jargon, we speak ” social engineering “. Widely used in phishings, this kind of manipulation consists in pushing the victim into error with a well-oiled scenario. To trap Jeremy, the thug left with a sizable asset, controlling his friend’s account. This string is well known to criminals: the more the target has confidence in his interlocutor, the less he will be alerted by any inconsistencies in the scenario.
As a result, the victims do so without asking too many questions. Then, once they realize the trick, they reread the exchanges, and realize the different warning signs that they should have seen. For example, Jeremy was surprised by his friend’s initial request, and he replied: “ no worries, but why are you asking me? “His interlocutor replied:” You the only one available on my phone »(Sic). A poorly constructed sentence, on which the young man did not stop.
Obtaining the identifiers (username and password) to steal an Instagram account is not very complicated for offenders. Taken from phishings, security incidents or data breaches, they can be bought individually or in batches for a few euros, even a few cents. Since few people enable two-factor authentication, and many continue to reuse the same password on multiple accounts, this negligible cost purchase may be enough to steal an account.
Transactions of 23.88 euros validated by the victim
Once the scenery for the scenario is set – Jérémy agrees to help his friend to ” activate your phone – the thug bombards him with questions. Can he confirm his phone number? Who is its operator? Can he transfer the code he received? Then a second? Then a third, because the second did not work?
The messages Jeremy received could have alerted him: “ Info Orange: NEVER SHARE THIS PIN CODE 887474 is your Orange security code to validate your purchase of the Boku Pay by mobile service at 23.88euro (s) »(Sic). Corn ” friend “Had told him:” tqt not [ne t’inquiète pas, ndlr], I know he says 23 € but you won’t pay anything prcq [parce que, ndlr] I have already paid the fees »(Sic).
After a little online research, we learn that Boku is a service that allows you to validate a transaction by billing the user’s operator account. In other words, he will pay the sum of the transaction in addition to the cost of his Orange package. Most operators allow this type of transaction to be blocked, but protection is not enabled by default.
In the space of just 5 minutes, Jeremy sent three codes, thinking that they all reactivated his friend’s phone. In fact, he validated 3 purchases of the same amount, 23.88 euros, on behalf of the scammer.
As if he was not sufficiently satisfied with his success, the thief ended the conversation by specifying to Jeremy that he had to ” delete all messages received by SMS to receive the confirmation SMS. In other words, he pushed his victim to erase the traces of the fraudulent transaction on her own. In all cases, Boku specifies on its site that any purchase made by its payment service cannot be refunded.
Reading the conversation, the scam seems too big to work, and even Jérémy concedes it, in retrospect. But as often, all it takes is a decrease in mistrust and a very quick discussion for the trap to succeed.
How to avoid this kind of scam on Instagram?
- The best way to thwart this kind of scam is to take his time, because haste will always work in favor of thugs. No doubt over time you will notice the deception. For example, you will remember that a blocked SIM card can be unblocked with the PUK code, provided when purchasing the card and easy to obtain on your operator account, with no fees to pay.
- Trust your suspicions. If a situation seems suspicious to you, it is because it is indeed suspicious and that it certainly deserves additional checks. Does the name “Boku Mobile” surprise you? Let your friend wait 30 seconds to do a quick internet search.
- Contact your friend in another way. Enzo sends you unusual messages on WhatsApp, Messenger or Telegram? Make a call to make sure it’s the one behind the keypad.
Want to tell us about a time you were scammed online? Do not hesitate to contact us at email@example.com.