Instagram

Imposters and romance scammers abusing social media to con people is hardly a novel occurrence.

The problem seems to have gotten much worse on Instagram over the past year, however, with its parent company Meta falling short of effectively tackling fake profiles even when there are sufficient signs to indicate that a profile is misusing someone else's photos and identity.

In our investigation, BleepingComputer observed instances where reporting fake profiles that impersonated an internet personality or a public figure concluded in such reports being dismissed after being processed, at least in part, through what appeared to be an automated decision-making system. We were further surprised to learn that even after appealing the decision, the outcome stayed and the fake profiles in question have still not been removed from the platform.

Instagram: a haven for scammers

Earlier this week, while casually scrolling through my Instagram feed, I came across a story featuring a selfie video of a handsome gentleman working out at the gym, to which I instinctively reacted.

A conversation followed. This gentleman named "Santiago Scott," who was on my list of followers, told me he's from Brazil, based in Spain, and looking for something meaningful.

Fake Instagram profile abusing someone else's pictures
'Santiago Scott' with some 1,840 followers claims to be based in Spain
(Instagram)

Before the conversation could delve into deeper territories, my skeptical yet curious mind, led me to search up the dashing "Santiago Scott," the man behind the handle, @91.santiagoscott.

While the name didn't turn up anything interesting, a quick Google Lens reverse-image search led me to a Twitter account of Thiago Qualhato, and an authentic Instagram profile with close to 18,000 followers. 

Real Instagram profile owner, Thiago
A reverse-image search reveals the real man behind the photos
(BleepingComputer)

Turns out, Thiago, the real man behind the photos is based in Brazil, communicates primarily in Portuguese—not English, and according to his publicly visible Instagram profile, joined the platform in 2013. Contrast this with "Santiago Scott's" account, created in 2022, restricted to the public, with his username having been changed at least seven times.

Furthermore, every photo or reel on "Santiago Scott's" profile has been posted just a few days following Thiago's original post—a strong sign of catfishing.

discrepancy in instagram accounts
Discrepancy in real (left) and fake (right) Instagram profiles (BleepingComputer)

It's realistically possible for a person to create two profiles for a variety of reasons, such as to isolate their personal social media presence from a professional one. To be very sure, I dropped Thiago a note.

Predictably enough, Thiago replied to me, "Denuncie pra mim. Por favor. Ele me bloqueou." ("Report it please. He has blocked me.")

Wasting no time, I immediately reported @91.santiagoscott to Instagram, properly indicating that the account was impersonating @thiago_qualhato in the reporting form. A few minutes later, I heard back.

Instagram decided not to remove the fake account after a review that appears to be facilitated by "technology" at least in part—given the request's relatively fast turnaround time.

"We use a combination of technology and human reviewers to process reports and identify content that goes against our Community Guidelines. In this case, we did not remove the content that you reported," read the response.

Instagram did not remove the fake profile
Instagram did not remove the fake profile, even after a human review
(BleepingComputer)

Even after appealing the decision and requesting a subsequent review (likely from a human), the decision stayed.

BleepingComputer reached out to Meta's communications team with questions, mentioning this case well in advance of publishing but we did not hear back.

A ploy to sell blue ticks?

Incidences like these are far too common on Instagram.

Imposters appear to particularly target authentic profiles of desirable public personalities, uniformed service personnel (such as soldiers and police officers), influencers, and adult content creators.

These imposters then begin to "follow" the followers of the real account, in hopes of getting followed back and establishing themselves as trustworthy on the platform, while simultaneously blocking the authentic profile whose pictures they are misusing. This cuts off the possibility of contact with and being seen by the authentic user.

Last year, UK-based author, Jendella Benson, took to X (formerly Twitter), voicing her annoyance with Instagram's reluctance to take down imposters lifting her photos.

"Instagram won't remove a catfish account that is using my pictures," says Benson.

"Either they are trying to force me to buy a blue tick in hopes that it will give more protection or they're padding their numbers by not acting on spam or fake accounts. Probably both. Bozos."

In early 2023, shortly after X introduced a paid verification program, selling the much-sought-after blue ticks for a monthly fee, Meta followed with its 'Meta Verified' service priced between $11.99 and $14.99.

The monthly charge enables creators and businesses to have their Facebook and Instagram accounts verified and display a blue checkmark on their profile. The service also claims to provide "proactive account protection" against impersonation.

That still begs the question, should a creator's unwillingness to subscribe to a paid service equate to them being a victim of impersonation?

"It's annoying when Instagram won't remove catfish accounts of me," wrote another user on X.

And, similar stories aren't unheard of:

A victim of impersonation
Another victim of impersonation on Instagram (X)

Ironically, coughing up the monthly fee, and going through the verification process by showing a valid ID is no guarantee that your account won't be suspended later, should enough people suspect that you are the imposter.

We have also previously reported on sexual harassers, crypto scammers, and identity thieves thriving on Instagram, and merely reporting such accounts seems to be not enough.

What can we do about it?

While the ball is largely in Meta's court on this one, there are several steps users can adopt to safeguard themselves, their photos, and other users in the community.

  • Consider watermarking your photos with your real social media handle. The watermark could still be removed or cropped out by an imposter but could serve as a deterrent.
     
  • For private accounts, refrain from accepting follow requests from profiles that seem suspicious, are too 'new', have limited or no posts and followers, or are otherwise of questionable authenticity. Increasing your follower count comes with a risk of being impersonated, should the new follower end up cloning your profile.
     
  • Report imposter accounts via the Instagram app. Should that fail (as it did in this case), a user suggests another option might be trying out the web form.
     
  • Even if blocked by your imposter, it might still be possible for you to report the imposter's account by navigating to their profile in your web browser's Incognito mode (or simply after you've logged out of your Instagram account).
     
  • You're still the copyright holder of your intellectual property—your photos, reels, and posts. In some cases, should the regular reporting channels yield no results, it may be worth reaching out to Instagram's legal team to report a case of copyright infringement.
     
  • A bit of googling and reverse image searches by using services like Google Lens, TinEye, and PimEyes can go a long way in catching impersonators early on.
     
  • Refrain from sharing your private photos and details unless and until you are certain that the person you are communicating with on the other end is who they claim to be.

Taking these steps will hopefully deter imposters and keep social media a safe place for yourself and everyone.

Related Articles:

CISA warns of criminals impersonating its employees in phone calls

FBI warns of fake law firms targeting crypto scam victims

Gitloker attacks abuse GitHub notifications to push malicious OAuth apps

FBI warns of fake remote work ads used for cryptocurrency fraud

Microsoft India’s X account hijacked in Roaring Kitty crypto scam