When Alice’s phone started buzzing, she didn’t know what to think. Some of her friends were texting her to say that her Instagram account had been hacked. They must have been wrong, though, because she had just gotten a DM from her cousin saying someone was impersonating her. Opening the message, she discovered a new account with her name, profile picture, and posts. The bio talked about “18+ content,” and there was a link to what looked like a pornographic website, with her name and photo at the top of the page. “Get FREE access to all my completely naked and erotic photos and videos content,” it said. Something was very, very wrong.
Names and identifying details have been changed because of the sensitive nature of this topic, but Alice’s story is true. Her Instagram account was duplicated in an effort to drive clicks to a fake porn site, which in turn links to a registration page that attempts to scam the viewer into entering credit card information in an attempt to view pornographic photos that don’t exist. Over the past year, people worldwide have found themselves in Alice’s situation, and now it’s happening to teens in Hawaii. Those whose identities are hijacked are unwilling participants in this scam, not the direct targets of it – but that doesn’t make its effect on them any less real.
The Scam
The scam is a relatively simple one. In 2020, a police official specializing in cybercrime described it as “a nationwide problem” to the Australian Broadcasting Corporation, while Vice reported occurrences in Canada, the United States, Thailand, the United Kingdom, and France.
It begins with a copy of an existing Instagram account. The entire scam is likely carried out by an automated process rather than manually, and it isn’t clear how accounts are selected, though in all the cases known to Ka Punahou the cloned accounts belonged to women and girls. Each duplicate account is created with the same profile picture and name as the real account after which it is modeled, and uses the same username with an underscore added at the end. It posts three photos taken from the posts of the real account, and may use additional photos from the real account in Story posts and Highlights. Posts to the scam account’s Story include text intended to trick the viewer into believing that the linked website will allow them to access pornographic images or videos of the person whom the account is impersonating.
The website, in turn, appears to be a real page on a website known for selling pornography. The Australian version of the scam linked to fraudulent OnlyFans profiles, while Vice also described fake JustForFans pages; all local cases seen by KP have copied a similar website called Fansly. The use of a URL shortening tool disguises the fact that the domain ends in “.wixsite.com,” marking it as a website created using the free web development tool Wix. In the Instagram browser, it’s easy to miss the suspicious domain name in tiny text at the top of the screen, and the banner at the top of the screen proclaiming “Join us on the Wix app” might be written off as an advertisement. The page header is a real image of the person being impersonated, overlaid by a pornographic GIF as the profile picture. All the links on the page, including the main “Follow For Free” button, lead to a separate website.
This second website, located at a newly registered domain name that likely changes frequently to evade efforts to block it, appears to be a registration process for the main site but includes fields to collect credit card information as “a valid form of age verification.” While KP’s investigation of the scam did not involve the entry of personal financial details, it seems likely that any card entered during the fake registration process will be charged and potentially drained entirely. So the trap is revealed – but the people whose accounts have been cloned are the bait, not the targets. Who are the scammers hoping will fall for their trick?
The Targets
The final step of this scam is arguably the most malicious. After creating the cloned account and matching fake website, the person or program behind the process returns to the real account of the person they’re impersonating and opens up the list of people it follows. Then, in every case known to KP, the scam account follows or requests to follow more than 100 accounts belonging to men and boys who are followed by the real account.
Some of these boys will likely ignore the account, or just not notice it. Some might report and block it on sight, while others may message the girl being impersonated: “this account just followed me. seems weird. is it really u?” But inevitably, some of the targets will fall for the scam. More precisely, some of these boys will see an account claiming to provide access to pornographic photos and videos of somebody they know – often a minor – and they’ll click “Follow,” tap the link in the bio, and maybe even give up their credit card information in the pursuit of those photos and videos. Specific local instances of the scam analyzed by KP suggest that the percentage of people who begin following one of the scam accounts after it follows them is disturbingly high – around 10 percent.
The Aftermath
The fake accounts repost real photos of the people being impersonated. In the cases known to KP, it appears that photos of women and girls in bikinis tend to be the ones selected as part of the scam. These photos are placed in an extremely sexual context, implying that the person depicted is selling pornography of themself. That message is then actively pushed to an audience when the accounts request to follow a large group of people connected to the real person whose account has been copied.
For those impersonated as part of the scam, the experience can be shocking and humiliating. It’s tangled up in broader issues that affect the lives of young people, like the sexualization of teenage girls and the stigma surrounding both sex and sex work. And seeing other people’s reactions to the account can create emotions and questions that are bigger than the isolated incident of the scam itself. One teenage girl who was impersonated told KP she was shocked that some of her “guy friends” thought there was a possibility that the account was real, rather than immediately deciding it was fake. She added that the use of her photos in a sexual context felt degrading because it made her think that everyone might interpret the content she posts in a sexual way to begin with.
The harm caused could potentially go beyond feelings and reputation, especially when teens are involved. As The Washington Post has reported, minors can be charged under federal child pornography laws for producing pornographic content of themselves. Punahou School’s Student and Parent Code of Conduct says that “sending, sharing, viewing or merely possessing sexually explicit photos […] or other sexually explicit materials” can lead to disciplinary action including expulsion, and that the school “can seize a student’s cell phone, computer or other electronic device and will turn the device over to law enforcement authorities” if a student is suspected of engaging in this behavior. While the scam doesn’t involve any action by the person being impersonated and certainly doesn’t involve them sharing pornography of themselves, there’s a risk that school or law enforcement officials who are unaware of the scam may believe that the fake account is genuine, and the victim of impersonation could face the threat of disciplinary action as a result. Additionally, there’s no telling what the consequences might be for people who follow a scam account impersonating a minor, thereby actually seeking out child pornography.
The scammers, meanwhile, seem to be doing just fine. The website used to collect financial information is registered to Wesicron Limited, a shell corporation registered in Cyprus under a name and address that are likely false. Because of this dead end, KP has not been able to determine anything about the people or groups behind the scam.
The Future
With so little known about who might be behind them, it’s unlikely that these fake accounts will stop appearing anytime soon – so is there anything people can do to keep themselves safe? And what steps can be taken to get the accounts taken down?
The easiest (and least satisfying) answers are that private Instagram accounts cannot be duplicated and that people who notice accounts that are part of the scam should report them for “scam or fraud” and/or “pretending to be someone else.” While Instagram is notoriously slow at responding to reports and inconsistent in enforcing their own policies, reporting the accounts may still get them taken down, and could eventually lead to efforts by Instagram to prevent the scam across the platform. Reporting the fake websites to Wix could have a similar effect since they violate the website development platform’s terms of service in several different ways.
Spreading awareness of this scam may be another effective method to combat it. People who recognize the involved accounts and websites as fake are presumably less likely to follow them or enter their financial information, making the scammers’ efforts less successful. Awareness also makes it more likely that someone who finds a fake account will clearly and appropriately inform the person being impersonated, which could reduce the shame and discomfort of the ordeal. Similarly, if parents and school officials are aware of the scam, the risk of consequences might drop for teens who have their accounts duplicated.
It’s not clear who is behind this complex plot, what their motives are, or how accounts are selected for impersonation. A few things are almost certain though: this is going to continue happening, and other similar scams will appear. And nobody, except perhaps the scammers, knows who will be targeted next.