RESEARCH

POST GRAMS NOT SCAMS:

DETECTING MONEY FLIPPING SCAMS ON INSTAGRAM

USING MACHINE LEARNING
ZEROFOX RESEARCH AND DEVELOPMENT
Philip Tully, PhD -- Senior Data Scientist
John Seymour -- Data Scientist
Spencer Wolfe -- Research Writer

As more people become connected on social platforms,

cyber criminals find themselves with more numerous and
accessible potential targets than ever before. Over a 4
month period in 2015, the ZeroFOX Research Team built
a machine learning classifier and identified thousands
scams targeting major financial institutions and their
customers across Instagram. The results of the study shine
a light on a growing problem with serious impacts on
financial institutions bottomlines.

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

TABLE OF CONTENTS

1. Executive Summary & Findings

2. Introduction
2.1 Scams in the Digital Age

2.2 Money Flipping Scams on Instagram
3. The Anatomy of a Money Flipping Scam

3.1 Typical Scam Attributes

3.2 Two Honeypots: Engaging the Scammers

4. To Build a Predictive Model

4.1 Why Machine Learning?

4.2 Data Collection & Training

4.3 Most Common Classifier Features

4.4 Image Features

4.5 Behavioral Features

4.6 The Payload: URLs, Direct Messages & Phone Numbers

4.7 Topic Clustering & Feature Co-Occurrence

4.8 Financial Institutions Without Verified Instagram Accounts

4.9 The Knights & Knaves of Instagram
5. Scam Persistence Over Time and Social Networks
5.1 Decay Rate of Scams

5.2 Money Flipping Scams Across Social Networks

5.3 Other Types of Social Media Scams
6. Estimating the Cost
7. Conclusions & Recommendations
8. References

ZeroFOX 2016 All Rights Reserved

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

1. EXECUTIVE SUMMARY & FINDINGS

The rise of social networking has created an

unprecedented platform for the average Joe to engage
and interact on a global scale. From sharing pictures of
cats to organizing revolutions, social media has radically
transformed the nature of human communication.

Instagram posts in relation to 37 of the biggest US

financial institutions. Over the course of the study, the
classifier analyzed over 2 million historical posts from
the last 2 years. In addition, ZeroFOX engaged with
scammers using a honey-pot Instagram account in order
to better understand their tactics.

There is, unfortunately, a darker side to this evolution.

As more and more people become connected on social
platforms, cyber criminals find themselves with more
numerous and accessible potential targets than ever
before. Social medias inherent trust, ease of use, scale,
and anonymity render it the ideal platform for cyber
criminals and scammers.

The scams, called money flipping scams, extort victims

into sending money or disclosing banking information.
The scammer promises to flip their money and return
a huge profit. The scammers use Instagram to advertise
their services with pictures of money, luxury goods and
drugs as well as hijacking bank hashtags to target banks
consumers. They target the poor and members of the
military in particular. At the end of the day, the banks often
eat the cost, resulting in a considerable financial loss for
both consumers and banks alike.

Over a 4 month period in 2015, the ZeroFOX Research

Team identified thousands scams targeting major financial
institutions and their customers across Instagram. The
team built a machine learning classifier and analyzed

BY THE NUMBERS:

2M

80%

INSTAGRAM POSTS
ANALYZED BY ZEROFOX

SCAMS CREATED
FOR EVERY 1 TAKEN DOWN

OF SCAM POSTS WITH A LIFESPAN

GREATER THAN 45 DAYS

4,574

37

23

TOTAL NUMBER OF UNIQUE

SCAMS IDENTIFIED BY THE
ZEROFOX CLASSIFIER

NUMBER OF TOP FINANCIAL

INSTITUTIONS HASHTAGS
USED TO GATHER DATA

SCAMMERS THAT ENGAGED OUR

BURNER PROFILE AFTER FOLLOWING
MAJOR FINANCIAL INSTITUTIONS

1,386

98.74%

$420M

UNIQUE SCAMMER ACCOUNTS

ACTIVELY CREATING MONEY
FLIPPING POSTS

ACCURACY OF THE
PREDICTIVE MODEL

ESTIMATED GLOBAL COST TO BANKS

OF INSTAGRAM MONEY FLIPPING
SCAMS OVER ONE YEAR

ZeroFOX 2016 All Rights Reserved

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

2. INTRODUCTION
2.1 SCAMS IN THE DIGITAL AGE

oo-good-to-be-true schemes are one of the oldest

tricks in the book. The art was perfected in the midnineteenth century by William Thompson, who roamed
the streets of Manhattan persuading passers-by to lend
him their watch. This quintessential con-man would
simply ask his target if they, had the confidence to loan
him their watch for a day, and the target would often
comply. Thompson would never be seen again. Social
engineering has transferred well from the Industrial Age to
the Information Age, manifesting now in the form of digital
get-rich-quick scams.

Although an individual customer is the intended target of a

scam campaign, the downstream repercussions inevitably
fall at the feet of the exploited financial institution. These
scams tarnish reputations and ultimately impact the
firms bottom line. The 2015 Centre for the Study of
Financial Innovation Banking Banana Skins highlighted
risks associated with a banks reputation being harmed
by social media with or without sound evidence [20]. In
todays high stakes social media climate, brands are only
one post away from a public relations meltdown.
For a more in depth analysis of the costs, see section 6.

With the advent of social networking, never in the history

of illegal activity have so many targets been so accessible
and so trusting. From the palm of their hand, anyone
with a 15 minutes and a coffee-shop wifi connection can
launch a scam that has significant impacts on the bottom
line of Fortune 50 institutions.
Social networks have become the go-to delivery
mechanism for scams, exploiting trusted relationships and
propagating attacks at scale. In 2014, more than 2,600
cases of scam activity resulted in more than $6 million in
losses according to the American Banking Association
[1]. Customer cases can involve several hundreds [2, 3]
or thousands [4, 5] of dollars in reported losses. Ciscos
2016 annual security report identifies social network
scams as the most frequently used attack methods to
breach a corporate network [6]. According to the FBI,
12% of all fraud is social media related, a quadrupling
compared to the five years prior [7]. McAfee reported that
more employees have experienced cybercrime on social
media than any other platform, including email and file
sharing [8]. In other words, the problem is here to stay.
To combat these recent trends, consumer protection
agencies have recommended users to follow the
common sense too good to be true idiom [9, 10].
Individual financial institutions themselves have echoed
such warnings to their own customers [11-19]. But the
dont be dumb solution is no longer a viable remedy
for financial institutions vulnerable to scams, and
unfortunately, the good guys are losing the fight.

ZeroFOX 2016 All Rights Reserved

2.2 MONEY FLIPPING SCAMS ON INSTAGRAM

nline scamming spans nearly any platform with

unregulated user interaction, but certain social
networks have proven themselves to be particularly
lucrative for scammers. The focus of this study is
Instagram, which is often exploited by opportunistic users
seeking to defraud the customers of financial institutions.
The most popular Instagram scam is the money flip. A
typical online money flipping scam will advertise a service
in which the scammer takes a bank customers money,
anywhere between $50-1000, and attempt to flip it,
ultimately promising a huge return of 10x or more. Of
course, after the money has been sent, the scammer
never delivers on the deal. A card-cracking variation
involves seizing the victims bank account information,
depositing counterfeit checks, and subsequently
withdrawing against these deposits before the bank
catches on.

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

3. THE ANATOMY OF A MONEY FLIPPING SCAM

3.1 TYPICAL SCAM ATTRIBUTES

o best understand the nature of the scams, we first

elected to do a deep dive on a small sample. This
involved documenting some general patterns as well
as engaging with scammers to identify their tactics
techniques and procedures (TTPs). This information would
later be used for developing our predictive models.
We observed some general patterns in money flipping
scam posts.
Scammers preyed upon users they suspected were in
dire financial circumstances; for example, people with
outstanding debt or unpaid bills. By appealing to their
sense of desperation, scammers hoped to make them
think that relief was a just few simple steps away.
Scammers often led their victims to believe that they
were doing them a favor or that any attention they
received was important, and encouraged them not
to bother unless they were serious about engaging
in the scam process. In this way, scammers hoped
to elevate themselves to a position of authority from
which it would become easier to rationalize their
bizarre demands.
As a throwback to the classic hustle, scammers
tried to create a sense of urgency by encouraging
victims into making impulsive choices. By fostering
the perception that opportunities were time sensitive,
scammers attempted to capitalize on impaired or
rushed decision making.
Scammers utilized alluring symbols of wealth and
success to provoke envy. They sought to engender
jealousy and compel victims to jump on their figurative
bandwagon.
Oftentimes, the scammers employed accomplices
who made comments on the scam posts and offered
believable testimonials about the advertised process.
These modern day shills offered deceptions such as,
I cant believe it really works! and, I did this last
week, this is so legit.

ZeroFOX 2016 All Rights Reserved

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

3.2 TWO CASE STUDIES: ENGAGING THE SCAMMERS

o further investigate the substance behind the scamming

process, we conducted two separate case studies. We
created a burner Instagram account to act as a honeypot: we
posed as victims and went as far into the process as possible
without actually handing over any money.
First, we followed all of the financial institutions with
verified presences on Instagram that were subject to scam
campaigns. Surprisingly, we amassed 23 scam account
followers within 48 hours of our initial follow of financial
institutions. These observations imply that scammers
are aggressively monitoring fresh followers of financial
institutions in order to execute a scam. This should be
alarming for any financial institution leveraging social media;
for every customer that follows a brand account, expect them
to get dozens of follow requests from scammers.

WE AMASSED 23 SCAM ACCOUNT

FOLLOWERS WITHIN 48 HOURS
AFTER OUR INITIAL FOLLOW OF
FINANCIAL INSTITUTIONS

Next, we reciprocated follow requests with each of the

scammers that sent us follow requests, thus enabling them
to direct message (DM) us. Two of the scammers messaged
us and initiated the scam process, so we documented our
interactions (Scammer 1 and 2 henceforth).
Scammer 1 attempted to convince us to send them our
physical bank card and PIN, which would have granted
them access to our account (Figure 1). The actor later
described that they would deposit checks into our account
and compensate us ten- or twenty-fold after the fact. What
wouldve actually happened is as follows: the scammer would
have deposited a fake check into our account, then would
immediately withdraw $200 using an ATM. Most banks make
this amount available, even before a check fully clears, as a
benefit to their users. Next, the check would bounce. The
scammers often assure their victims that they dont need any
money in their account, meaning the scammers likely arent
simply withdrawing money. The process of withdrawing the
ATM limit and bouncing checks assures the scammer a
consistent return. This means the victim would be responsible
for the missing $200, along with any overdraft fees. More
often than not, the bank will absorb this cost if the victims
reports the fraud. For the scammer, the value of this cardcracking scam is that there does not need to be any initial
balance in our account in order for the scam to work; in fact,
the scammer boasted about this fact in an attempt to increase
his perceived legitimacy.
FIGURE 1.

Scammer 1 asking directly for bank card

via DM.
ZeroFOX 2016 All Rights Reserved

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

Selections from our interactions with Scammer 2 are

exhibited in Figures 2 and 3. In this scam, we were
instructed to purchase a Western Union cash transfer at
our local pharmacy and send the scammer the receipt
of the transaction, which included both the tracking and
PIN. Instead of splitting the surplus cash as promised,
the scammer would have proceeded to walk off with the
transferred money. Variations on this scam interchange
Western Union for MoneyGram wire transfers or prepaid
cards like GreenDot MoneyPaks or Vanilla Reloads, all due
to their borderline untraceability. This time, we took the
opportunity to upload a fake receipt to an image hosting
service, wrap the image URL with an IP logger, and shorten
the URL to disguise our intention. The scammer proceeded to
click on the URL, which in turn revealed to us his IP, relative
location, and hostname.

FOR EVERY FINANCIAL

INSTITUTION CUSTOMER THAT
FOLLOWS A BRAND ACCOUNT,
EXPECT THEM TO GET DOZENS
OF FOLLOW REQUESTS FROM
SCAMMERS

FIGURE 2.

FIGURE 3.

Scammer 2 asking for a Western

Union transfer receipt.

Scammer 2 copy and pasted an

IP tracking link.

ZeroFOX 2016 All Rights Reserved

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

4. TO BUILD A PREDICTIVE MODEL

4.1 WHY MACHINE LEARNING

4.2 DATA COLLECTION AND TRAINING

ny social media-savvy human observer is likely capable

of detecting the money flipping scams described in
Section 3. The features and characteristics of Instagram
posts are rather obvious for you or me to weigh and
decide if the intention is to flip money. But Instagram users
share up to a whopping 95 million photos each and every
day [21], putting the problem out of reach for individuals
and institutions that are constrained by time and other
resources. In other words, throwing more and more bodies
at the issue is not a scalable solution. At the same time,
the problem is not amenable to ad hoc approaches like
word matching because the simple presence of individual
words like money or the name of a specific bank will
inevitably create a slew of useless false positives. Where
an ad hoc approach fails, data-driven approaches, and in
particular supervised learning, shine.
To tackle the problem of money flipping scams, ZeroFOX
developed machine learning algorithms that classify
Instagram posts as scams. The predictive model assesses
hundreds of attributes to predict with nearly 99% accuracy
whether or not a post is a scam. This technology is part of
a suite of ZeroFOX tools that automatically churn through
terabytes of incoming social media content. ZeroFOX
technology distills this data into actionable alerts by
performing complex analyses in real-time.
In short, ZeroFOX uses machine learning to detect
malicious activity because classifiers are ideal for solving
the myriad of challenges posed by working with datasets
as large and dynamic as social media.

nstagram posts were acquired by pulling subsets of

users and hashtags associated with large financial
institutions (e.g. any posts using either #bank_abc and
#bankabc were pulled) via the Instagram API. The most
recent 2,009,081 posts were run through our predictive
model which verified 4,574 (0.24%) unique money flipping
scams made by 1,386 unique accounts.
To build a representative training dataset for the model, the
ZeroFOX Research Team leveraged Amazons Mechanical
Turk to classify a smaller corpus of posts. This set was
used use to train the classifier to an acceptably high
accuracy, after which it began classifying posts in the wild.
The algorithm has been retrained multiple times to further
refine its effectiveness.

Raw Instagram Data

Training

Lable Data

Benign
Raw Instagram Data
Malicious
Predictive Model

Predicitng
ZeroFOX 2016 All Rights Reserved

10

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

4.3 MOST COMMON MONEY FLIPPING SCAM FEATURES

here were numerous features shared by money flipping

posts. The classifier evaluated words, emojis and hashtags
to find common trends between them. An overwhelming volume
of posts contained attributes relating to money; this was true for
word choice, emojis and hashtags (Figures 4-6).
By using bank-related hashtags, the scammers ensure their
posts are seen by a specific target audience (ie: people with
credit cards or bank accounts). Moreover, using branded
hashtags hijacks the hard-earned trust that the banks have built
with their followers.

THE CLASSIFIER EVALUATED

WORDS, EMOJIS AND HASHTAGS
AS A WAY OF FINDING COMMON
TRENDS BETWEEN THESE POSTS

FIGURE 4.*

FIGURE 5.

Wordcloud in which word size encodes frequency.

Emoji wordcloud, size as in Figure 4.

FIGURE 6.*

Bar graph of most popular hashtags used within scam posts.

ZeroFOX 2016 All Rights Reserved

* Bank names have been redacted due to privacy considerations

11

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

4.4 IMAGE RECOGNITION

nstagram posts are based around sharing

images, and in addition to text features, scam
posts also shared common image features; the
most frequent being the presence of money. Other
common features were bank logos, receipts, people
posing with money, attractive women, drugs and
paraphernalia, credit cards, screenshots of bank
accounts, expensive cars, shoes and watches.

FIGURE 7.

FIGURE 8.

Original scam image, pulled

from social media post.

Result of greyscale and pixel

normalization.

We used optical character recognition (OCR), a

technique to extract and analyze text embedded
within images. We found that 1,156 out of the 4,574
(25.3%) of scam images contained text (Figure 7).
We transformed the original image in order to filter
out noise (Figure 8) and then used OCR to extract
the text from the images (Figure 9). We believe that
this is used at least partially for evading detection,
due to the level of effort involved in crafting these
custom images.

4.5 BEHAVIORAL FEATURES

n order to further refine the performance of our model, we also took into account
behavioral and engagement metrics such as number of likes, comments, hashtags
and more. We found high separability between the number of hashtags in scam
posts as compared to benign posts, meaning the number of hashtags was a
powerful predictor to determine whether a post was a scam or not (Figure 10).
Furthemore, we found that scam posts demonstrated a lower number of likes
compared to their benign counterparts (Figure 11).

FIGURE 9.

Output string after OCR.

FIGURE 10.

FIGURE 11.

Boxplots whose negligible overlap indicates

that scams (blue) tend to display more
hashtags than benign posts (green).

Boxplots as in Figure10, but depicting the

difference between scam and benign posts
in terms of like count.

ZeroFOX 2016 All Rights Reserved

12

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

4.6 TOPIC MODELING AND FEATURE CO-OCCURENCE

o gain deeper insights into the most commonly cooccurring features, cluster analysis was performed on
the data with normalization based on the number of scams
per hashtag. Military-centric institutions are clustered
together. We conclude from this that military members are
specifically targeted by scammers.
For further evidence of this conclusion, topic models
were built to uncover thematic structures within the
data. A topic model is a probabilistic model that clusters
topics by choosing the strongest hypothesis for how the
documents in the dataset were created (Figure 12). Topic
model showed that military-related keywords are clustered
together in intertopic distance space (Figure 12A),
providing further evidence that military members may be
specific targets of scam campaigns on Instagram.
The data also showed that location-related terms (Figure
12B) and holiday-related terms formed clusters, which
sheds light on some other tactics employed by scammers.
They may be trying to gain trust based on an individuals
location or use a victims desperation around the holidays
to propagate their attacks.

FIGURE 12.

Thirty topics, chosen to guarantee sufficient coverage,

were projected into two dimensions via Principle
Component Analysis and then visualized as an
Intertopic Distance Map. Selected clusters are colorcoded according to the estimated term frequency of
their component words from A and B.

FIGURE 12A.*

FIGURE 12B.

Topic 20 consists primarily of military-specific words.

Topic 13 consists primarily of location-specific words.

* Bank names have been redacted due to privacy considerations

ZeroFOX 2016 All Rights Reserved

13

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

4.7 THE PAYLOAD: URLs, DIRECT MESSAGES AND

PHONE NUMBERS

cammers offer several methods for their potential

victims to contact them, either by phone, URL, email
or DM. We found 29 unique URLs and ran them through
the ZeroFOX Platform for analysis. All of them directed
to either phishing pages, spam or pornographic content.
We also identified 1,020 posts (22.2%) that contained
invitations for direct message (DM) contact, emails and
723 unique US phone numbers.
Use of direct messages and phone numbers shows that
scammers prefer to engage their victims through private
channels, which are not as vulnerable to public scrutiny.
Interestingly, Michigan proved to have the most scammer
phone numbers. Besides Michigan, the most common
area code location corresponds predictably with state
population: Illinois, New York, California, Florida and Texas
(Figure 13).

4.8 FINANCIAL INSTITUTIONS WITHOUT A SOCIAL

PRESENCE ARE TARGETS AS WELL
12 out of the 37 institutions included in the study (32.4%)
did not have official Instagram accounts. 1,929 out of all
4,574 scam posts (42.2%) contained hashtags associated
with these institutions. The rate of scam hashtags targeting
institutions without verified Instagram accounts (2,770
out of 355,116, or .78%) was almost as high as the rate
of those with verified accounts (11,770 out of 1,130,676,
or 1.04%). The difference between these rates was
not significant. Taken together, this data reinforces the
notion that institutions were exploited regardless of their
decisions to engage or disengage with social media.

ZeroFOX 2016 All Rights Reserved

FIGURE 13.

Heatmap of phone numbers contained within scam posts,

based on area code.

FINANCIAL INSTITUTIONS WERE

EXPLOITED REGARDLESS OF
THEIR DECISIONS TO ENGAGE OR
DISENGAGE WITH SOCIAL MEDIA

14

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

4.7 THE KNIGHTS AND KNAVES OF INSTAGRAM

e noticed a variety of posts that shared numerous

features with scams, but were not scams
themselves. They turned out to be do-good Instagram
users creating accounts dedicated to exposing scammers.
We call these users knights (Figure 14). Because a
knight is trying to address similar audiences as scammers,
they end up using similar words, hashtags, and photos
(Figure 14). Considering these similarities, our initial
model struggled to correctly classify knights as benign.
Some scammers picked up on the knights tactics and
adapted to their techniques. They would imitate knight
accounts and expose other scammers to gain legitimacy
with potential victims. We refer to these accounts as
knaves. Once again, knaves proved to share many
commonalities with both knights and traditional scammers,
making it extremely difficult for our initial model to segment
them properly.

FIGURE 14.

A screenshot of a knight in action. This is a benign post,

yet it shares many features in common with scams like
#moneygram and #noscams.

After adding both knights and knaves to our training set

and recalibrating our classifier, we ultimately sharpened
the models boundary between what did and what did not
constitute a scam. This required refining all aspects of the
aforementioned strategies: textual analysis, engagement
analysis, topic modeling, and OCR. The overall accuracy
of the final model sits at nearly 99%. The model is able
to consistently distinguish between benign posts and
scam posts, including knights and knaves. The models
ability to classify such boundary cases demonstrates its
effectiveness and low trade-off between generalizability
and precision.

FIGURE 15.

A screenshot example of a scam. Note the #noscams

and #westernunion tags as portrayed by the knight in
Figure 13. The money with wings emoji also appears in
both.

FIGURE 16.

A screenshot of a knave adopting knight tactics. The

scammer seems to request information about other
scammers in order to stop them, but actually claims to
be the only source for legitimate money flips.
ZeroFOX 2016 All Rights Reserved

15

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

5. SCAM PERSISTENCE OVER TIME AND PLATFORM

5.1 DECAY RATE OF SCAMS

e extracted the date of creation from each of the

scam posts and estimated the frequency of scams
being posted on Instagram (Figure 17). An insignificant
number of scams occur before August 2013, with the
oldest scam occurring in June 2012. Note that these
numbers tend to underestimate the number of scams
posted each month; posts may be reported to Instagram
and removed. We found that scams were posted most
frequently during September 2014, with September 8th,
2014 displaying the largest number of scam posts in a
single day.
We selected a random sample of recent scam posts
to track over time in order to estimate the number of
scams taken down per day. Over a 45 day period, we
intermittently made requests for these scams, recording
whether or not the content for our requested posts had
been removed (Figure 18). After 45 days, approximately
80% of the scams were still accessible. This translated
to an average of 1.8 scams taken down each day, which
contrasted with an average of 5.6 scams created each day
over a similar period of time. This means that scams are
created at more than 3 times the rate they were removed,
indicating that the total number of scams on Instagram will
continue to grow absent additional intervention.

FIGURE 18

Estimating the lifetime of a scam: 80% of scams

remained 45 days after we first recorded their
presence, suggesting a need for additional
countermeasures.

FIGURE 17

Histogram of scams based on their posted date, binned by month.

ZeroFOX 2016 All Rights Reserved

16

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

5.2 MONEY FLIPPING SCAMS ACROSS SOCIAL NETWORKS

ot only do scams persist over time, they also spread

across different social media platforms. Because
scams were so prevalent on Instagram, we performed
pilot experiments on Twitter to compare rates of crossplatform scam proliferation. We found preliminary
evidence in the form of 73 scams out of 340,269 Twitter
posts analyzed (.022%). We also found similar scams

ZeroFOX 2016 All Rights Reserved

on Facebook, Google+, Youtube and Pinterest. Scams

displayed similar characteristics to those we previously
found on Instagram, indicating that this behavior can
be successfully detected using our predictive model,
given same level of historical data access as through the
Instagram API.

17

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

6. ESTIMATING THE COSTS

rom the roughly 2M posts analyzed, the classifier

identified about 4,500 unique scams with close to 99%
accuracy, but only about 40% of the total posts leveraging
bank hashtags were collected in this study. Thus it can be
comfortably assumed that there are about 10,000 unique
scam posts live today on Instagram that abuse bank
hashtags.
Since not all scams leverage bank hashtags, it can be
can assumed that 10,000 scams is only a snapshot of
the problem. Try it for yourself: plugging in the search
term #moneyflip into the Instagram search box returns
a whopping 200,000 results, nearly all of them scams.
Combining these numbers, and assuming there are money
flipping scams that remain which do no leverage either
#moneyflip or bank-specific hashtags, we are confident
that 250,000 posts is a conservative estimate for how
many live scams exist on Instagram today.
Section 5.1 showed that 20% of these scams will decay
over a 45 day period time, but 3x more scams will be
posted within the same interval. Assuming constant
absolute growth, meaning there will be no acceleration in
how frequently scams are posted or how quickly they are
taken down, we can calculate the number of scams that
exist after t months using Eqaution 1.

In Eq 1, - = 0.2 is the rate of scams taken down over t

=1.5 months, + = 0.6 is the rate of scam takedowns within
that same period, = 0.4 is the composite rate of growth
in scams within that period, and Nscams(t) is the function that
defines the number of scams that will exist t months from
now. Starting with the initial value of Nscams(0) = 250,000
stated above, we can extrapolate that, ceteris paribus,
Nscams(12) = 1.05 million unique scams will be live at some
point over the course of the next year.
Next, the overall annual cost for a financial institution and
their customers is approximated from the number of scams
that will exist one year from now using Eq 1. Given the
number of existing scams, we estimate the overall cost C
simply by multiplying this figure by two additional unknown
variables, the average success rate of a single scam r and
the average cost per scam c. Equation 2 describes this
calculation.

EQUATION 2.

Global annual cost of scams assuming success rate

and average cost of a single scam.

EQUATION 1.

Number of scams posted over the course of a year

assuming constant absolute growth.

ZeroFOX 2016 All Rights Reserved

18

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

The two different types of scams highlighted in section

3, check bounce and direct money transfer scams, have
different potential outcomes. For the former, the lower
limit that a scammer can withdraw is $200 assuming the
account is empty. If it isnt, they can withdraw as much as
the ATM(s) will allow. For the latter, the scammer gets as
much money as he can extort from the victim. The vast majority of scam posts advertise an initial investment between
$100-1000. Using the variables from Eq 2, Figure 19 lists
possible scenarios and their overall cost outcomes C using the success rate r assumed to vary from .25 per scam
to 4 per scam and an average cost per scam c assumed to
vary from $100 up to $500.

Avg. Cost (c) $100

In the course of year, we can safely assume that the cost

of money flipping scams on Instagram is well into the hundreds of millions of dollars. Whether that is on part of the
financial institutions or their customers should be equally
concerning. Consider now that this study only considers
one breed of financial scam on a single network. As indicated in Section 5.2, initial testing shows that these scams
persist across all major social networks. As the return on
investment for scammers continues to pay off, mitigating
steps need to be considered in order to protect financial
institutions and their customers.

$200

$300

$400

$500

Success Rate (r)

.25

26,500,000

52,500,000

78,750,000

105,000,000

131,250,000

.5

52,500,000

105,000,000

157,500,000

210,000,000

262,500,000

105,000,000

210,000,000

315,000,000

420,000,000

525,000,000

ZeroFOX Estimate

210,000,000

420,000,000

630,000,000

840,000,000

1,050,000,000

420,000,000

840,000,000

1,260,000,000

1,680,000,000

2,100,000,000

FIGURE 19.

Potential outcomes estimate the annual cost over the course of a year to financial institutions and/or their customers, or
in other words C as a function of the 2 variables r and c as defined by Eq 2. Highlighted cell represents the most likely
scenaio considering all available data.

ZeroFOX 2016 All Rights Reserved

19

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

7. CONCLUSION AND RECOMMENDATIONS

he rise of social media has ushered in an era of rapid and

widespread access to information, but its assets do not come
without potential liabilities. While digital communication is as
accessible as ever, the information being communicated can benign
or malicious. In platform with inbuilt scale, trust, and anonymity, the
prevalence of malicious content is on the rise, making it a veritable
petri dish for the propagation of cyber attacks and scams.
Our research highlights interesting computational aspects of analyzing
data unique to the domain of social media. Several domain-specific
issues arose during model development including how to address
image aftereffects like superimposed text, sentiment, syntax identifiers
like #hashtags and @mentions, sparseness and heterogeneity
of language (e.g. slang), emojis and other informative character
combinations that are absent from traditional text corpora. Despite
these challenges, our model robustly characterizes the nature and
prevalence of scams, revealing tactics and hypothesizing motivations
using a large, heterogeneous set of supporting data.

OUR RESEARCH INDICATES

THAT THERE ARE NO
SERIOUS EFFORTS BEING
TAKEN TO SYSTEMATICALLY
REMEDIATE SCAMS

Our ensuing analyses make use of this model to expose systemic

abuse on Instagram in the form of money flipping scams. We
unearthed a troubling trend and outlined its snare on several highprofile U.S. banks, credit card companies and insurance companies.
Specifically, we noticed an alarming use of assets directly or indirectly
linked to large financial institutions as vehicles to spread scams. This
abuse is not unique to Instagram.
More urgently, based on historical scam analyses, it is reasonable to
conclude that there are no serious efforts being taken to systematically
remediate scams. That scams are created at an estimated 3x higher
rate than they are taken down on a daily basis underscores the
problem is not going away anytime soon.
Our results illuminate the broader challenge of detecting threats
on social media, which is increasingly exploited by malicious
actors to undermine banks brand integrity and bottomline. Affected
organizations need to take an automated, data-drive approach to
identifying and remediating social media threats, including, but
certainly not limitied to, money flipping scams on Instagram. The
classifier deatiled in this report is a live feature in the ZeroFOX
Platform, actively identifying and helping remediate scams. For more
information about how ZeroFOX can help organizations protect
themselves on social media, visit zerofox.com.

ZeroFOX 2016 All Rights Reserved

AFFECTED ORGANIZATIONS
NEED TO TAKE AN
AUTOMATED, DATA-DRIVE
APPROACH TO IDENTIFYING
AND REMEDIATING SOCIAL
MEDIA THREATS, INCLUDING
MONEY FLIPPING SCAMS ON
INSTAGRAM
20

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

ABOUT ZEROFOX
ZeroFOX, the innovator of social media security, protects
modern organizations from the dynamic risks of social
media and digital channels. Each day, ZeroFOXs cloudbased, SaaS platform processes millions of posts
and accounts across the social landscape, spanning
Facebook, LinkedIn, Twitter, Instagram, Google+, YouTube
and more. Using targeted data collection, intelligent
analysis and automated remediation, ZeroFOX protects
businesses and government agencies around the world
against phishing attacks, information loss, account
compromise, fraud, compliance violations and financial
loss.
Led by a team of information security and high-growth
start-up veterans, ZeroFOX has raised over $40M in
funding from NEA, Highland Capital and others, and
has collected top industry awards such as the SINET16
Champion, DarkReadings Top Security Startups to
Watch, Tech Council of Marylands Technology Company
of the Year, and the Security Tech Trailblazer of the Year.

ZeroFOX 2016 All Rights Reserved

ZEROFOX RESEARCH TEAM

The ZeroFOX Research Team is dedicated to investigating
malicious activity on social media to better understand
how to protect people and organizations alike. Our
group is composed of curious and determined scientists,
engineers and writers; both techies and storytellers. We
are committed to integrity in all aspects of our research
process, from data collection to reporting.
All the information in this report is publicly available
data collected using the network APIs. No confidential
customer information is contained in the report.
Additionally, no foxes were harmed in the writing of this
white paper.

21

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

8. REFERENCES

1.
2.
3.
4.
5.

http://www.aba.com/tools/function/cyber/pages/card-cracking.aspx
http://wspa.com/2015/07/23/flipping-money-scam-growing-on-social-media/
http://www.cleveland.com/broadview-heights/index.ssf/2013/11/instagram_fraud_scams_woman_ou.html
http://www.fraud.org/component/content/article/2-uncategorised/80
http://www.omaha.com/news/metro/instagram-bank-scam-costs-omaha-woman/article_4743b3e8-a5e1-5e68-901ee9fce9291803.html
6. http://www.cisco.com/c/dam/assets/offers/pdfs/cisco-asr-2016.pdf
7. https://www.fbi.gov/news/news_blog/2014-ic3-annual-report
8. http://www.mcafee.com/us/resources/reports/rp-six-trends-security.pdf
9. http://www.fraud.org/component/content/article/2-uncategorised/71-flipping-money-scammers-lurking-in-social-media
10. http://www.bbb.org/blog/2015/08/spot-a-money-flipping-scam-on-instagram/
11. http://blogs.wf.com/news/2015/09/two-common-social-media-scams-avoid/
12. https://www.westernunion.com/us/en/fraudawareness/fraud-types.html
13. https://communities.usaa.com/t5/USAA-News/Insta-Scam-Fraudsters-Target-USAA-Members-with-Card-Cracking/bap/64486
14. https://www.navyfederal.org/life-money/managing-your-money/articles/security/social-media-scams.php
15. https://www.midwestone.com/customer-service/privacy-and-security/fraud-info/avoid-card-cracking-scam
16. https://www.bethpagefcu.com/advice-planning/fraud-protection/social-media-fraud.aspx
17. https://www.veridiancu.org/news/advice/common-scams-and-how-to-avoid-them.aspx
18. http://blog.nasafcu.com/2015/09/instagram-money-scam-involves-your-debit-card-and-pin/
19. http://www.thevictorybank.com/Banking/Online/Card%20Cracking%20Alert-5-19-15.pdf
20. http://www.pwc.com/gx/en/financial-services/pdf/Banking-banana-skins-2015-final.pdf
21. https://www.instagram.com/press/

ZeroFOX 2016 All Rights Reserved

22

ZEROFOX RESEARCH

//

Detecting Money Flipping Scams on Instagram Using Machine Learning

ZeroFOX 2016 All Rights Reserved

23