Lauren Jones* was on her way home from a gig when she realised something was wrong. After having no reception all day, her mobile started pinging with message after message containing verifications for her LinkedIn, Vinted and Facebook accounts. Someone was trying to get in and change the contact details.
At home she realised the hackers were also trying to take over her Instagram account. She tried to sort it out but it was late, she had work the next day and, she says: “I thought: ‘What damage could they do?’”
Within 24 hours she knew the answer: using her account, the hackers advertised tickets to Oasis’s Wembley Stadium gig on Saturday 26 July and stole £1,400 from her unsuspecting friends. They then sent a text demanding $100 (£75) to return the Instagram account. All day she was fielding messages from contacts. “I had about 20 different people text, saying they were about to send over the money and can I hold the tickets for them,” she says. “The hackers had impersonated me so well that my friends and family genuinely thought they were speaking to me.”
Three weeks later, she is still locked out of her account, and Instagram has refused to recognise it as being fraudulent. It has ignored her requests for help. It did not respond to Guardian Money’s requests for comment.
Jones is a music fan and so the Instagram story offering four tickets to a concert did not seem out of place to her 600 followers – even her sister believed she had tickets to sell. “I’ve just returned from Glastonbury and I was away for Bruce Springsteen,” she says. “It’s not as if they’d taken it over and started advertising bitcoin.”
The people who responded via Instagram were taken in by the scammers’ replies – one friend told her he thought they had been having a good catchup. It was only those who moved the conversation to WhatsApp or texts who found out pretty swiftly that the tickets did not exist. “They’re really impersonating me and it’s so invasive,” she says. “It’s distressing not knowing what is being said in my name.”
The fraudsters did not just leave the post for Jones’s followers to see – they messaged one of her former colleagues and asked them if they would share the posts. They agreed and inadvertently spread the scam more widely.
The tickets were realistically priced and the post had good spelling and grammar. Victims were asked to pay into an account held with the online bank Revolut, with the fraudsters explaining that it was in the name of the friend who had originally bought the tickets.
Official data shows £1.6m was lost to fraud involving gig tickets last year – more than double the previous year’s figure – and Oasis’s high-profile reunion tour has been widely used to lure victims. Earlier this year, Lloyds Banking Group (which includes Lloyds, Halifax and Bank of Scotland) said more than 1,000 customers had fallen for scams linked to the Manchester band’s eagerly anticipated UK concerts.
Lloyds said its data suggested that UK Oasis fans had lost more than £2m to fraudsters by March this year – the total is likely to have risen since. It found that fans lost an average of £436 each – about £200 more than the average amount stolen in a concert ticket scam – and said some had handed over more than £1,700.
Chris Ainsley, the head of fraud risk management at the bank Santander, recently saw a Facebook account used for the scam – the post advertised four tickets, again for the 26 July concert, and included details of seat numbers and a WhatsApp number to contact. The scammers used the highlight tool to put it in front of the real account holder’s followers – this, Ainsley says, is a way to make a fraud “grow very quickly”.
His team searched Facebook and found multiple other accounts had posted the same message, suggesting the same people had hacked them all.
Jake Moore, a cybersecurity expert at ESET, says that by using Instagram and Facebook accounts linked to individuals, scammers give victims a false sense of security. “It’s not an Oasis Facebook group which is completely random – buying tickets there would be a complete gamble. Instead, they’re buying from people they know, or friends of friends – they’re verified. It’s doing exactly what we tell people to do,” he says.
“The scammers can check the messages before and see how you sign off – if it’s a kiss or emoji maybe – and replicate that.” Moore says criminals who may be worried about their spelling or grammar giving them away can use AI to craft their messages. “Even if you take an extra minute to reply, the other person is not going to notice – you can even tell it to sign off each one with a smiley face, for instance.”
You might think the criminals would carefully select accounts that give them the best chance of finding victims – Jones’s would have appealed because she loves live music – but the experts say that the fraud is not that sophisticated.
Ainsley says the account he originally saw compromised had not been used since 2011, so anyone doing some due diligence might have taken that as a red flag. Moore says it is simply a numbers game, with criminals breaking into as many accounts as they can.
Jones is not sure how the hackers got into her account but suspects she may have fallen victim to a phishing attack or used an insecure public wifi network.
Moore says that often accounts are compromised because people use the same password in more than one place. Criminals will try the details across a range of sites – a practice known as “credentials stuffing”.
In-app attacks are another way for fraudsters to get the details they need, Ainsley says. “Sometimes you will get a message that makes it look like you have been kicked off Facebook – it will ask for your details to log you back in,” he says.
The best way to protect your account is to use the social media website’s two-factor authentication or two-step verification settings. “That extra layer will push the criminals to the next account – you are not the lowest hanging fruit,” Moore says.
* Name has been changed
