A new phishing scam called “The Nasty List” is going viral on Instagram. The Nasty list seems to have started earlier this week and works by using compromised accounts to send messages to users informing them they are on the Instagram Nast List.

The messages read “OMG your (sic) actually on here at number 38” and “WOW. Your (sic) on here!!! ranked 100.”

The compromised account also sends a message with a link to The Nasty List and an explanation about why the user made it on to the list. If the user follows the link they will see a convincing looking landing page with an Instagram login request. This page is, of course, fake and created by the hackers in order to gain the access credentials to more accounts.

While the page does look very convincing and familiar to any Instagram users, the URL is clearly not an Instagram URL. The URL used in one screenshot is nastylist-instatop50.me

If the user does fill and submit their login credentials on this page, after they fail to realize the page is fake, the hackers will have access to their account. It’s not entirely clear what the motive behind the hack is and whether there is a second attack using these stolen credentials that hasn’t been launched yet.

We do know that scammers attempt to send these messages to all followers of the hacked accounts they have control of.

It’s important to take a quick look at the URL anytime you are encouraged away from an app or page onto another page.

If you are one of the unlucky users that submitted your login credentials, then the first thing to do is to check that your email address and password haven’t already been changed, denying you access to your account. If they haven’t then you should go to Settings > Privacy and Security > Password, and change your password as a matter of urgency. We also recommend that you turn on two-factor authentication since it will stop hackers from being able to access your account in the future through these types of scams.

One bizarre feature of the scam has been reported by several Redditors.

Reddit user therealGreatGoose said:

When I got sent a message about the nasty list they used my first name. My name has nothing to do with my username so how could this be a hacker

Other Redditors replied to echo the same, and one added that the message had used a nickname of theirs.

Several Instagram users reported putting in their login credentials and then soon after realizing it was a scam and quickly changed their password. This has worked in the majority of cases and these accounts were not compromised, suggesting that the hackers don’t act immediately – but you absolutely should.

Tips to keep your social media accounts safe from hackers

• Use two-factor authentication on your accounts
• Use strong passwords and a password management program
• Change your password regularly and don’t use the same password across different accounts
• Be selective with third-party applications
• Close old or inactive social media accounts