Instagram phishing

Being the victim of a hacked Instagram account is what many of us fear. It’s even worse if it involves losing something close to our hearts like pictures — all the memories, gone in one second. 

This can happen to any Instagram or social media account through a malicious scam known as angler phishing, i.e., Instagram phishing. Hackers won’t care if you have 200 or 2 million followers. If you have an email address or phone number or anything, they want it. But, what exactly is Instagram phishing, and what are the signs of it? Let’s take a look.

    What is Instagram phishing? 

    Instagram phishing is a scam done by sending a DM (Direct Message) or a phishing email impersonating Instagram. This leads to stolen information, fake promotions advertised on your account, or loss of your account. It’s used by hackers for one main reason: to monetize your personal information. 

    Let’s say a hacker has all this stolen information. What now? Well, they can take your bank credentials, email, username, etc., and sell it on the internet or Dark Web. 

    There’s good news, though! Whenever you receive phishy looking text messages or emails, there are common signs to look out for. 

    Is security@mail.instagram.com a phishing scam?

    Many people have reportedly received strange emails from Instagram’s security@mail.instagram.com, and this is one possible phishing email example.

    I can’t personally confirm or deny if any email is a phishing attack. However, security@mail.instagram.com is an official email address belonging to Instagram.

    But be careful when reading the address though. Such emails can be easily changed into something like security@rnail.instagrarn.com to confuse the reader.

    The best way to check if you really received an email from Instagram is to go to your IG account’s Settings page > Security > Emails, and see if you’ve actually received one.

    If you’re sure that the email’s legit but still suspect something phishy, contact Instagram’s support.

    What are the signs of an Instagram phishing scam?

    Although a message may look real, always be on the lookout for these signs: 

    • Bad grammar 
    • Shortened links (Tinyurl, Bitly) in emails or messages
    • Official notifications from Instagram or Facebook sent to you via DM
    • Alarming tone or urgent requests to send money
    • Links or buttons that have sketchy re-redirecting URLs (e.g. “.cf”)  
    • The “mailed-by, signed-by & security” points in the email drop-down menu don’t match
    • Images or attachments in the email don’t fully load or are screenshots

    In rare cases, some users even received emails from a real Instagram email address, security@mail.instagram.com. Hackers most probably were able to hack the real email address and pose as the support team. However, they are humans too. Which means they make mistakes, and fortunately, that gives us the chance to avoid clicking their bait. 

    So, you’ve come across some of these signs, what then? Your best bet is to report it to Instagram. Let’s find out how in the next section. 

    How do I report phishing on Instagram? 

    If you think you’ve been hacked, follow these instructions. Or, if you’ve received suspicious emails or messages, you can try to secure or recover your account. 

    However, you can avoid taking these steps by securing your accounts beforehand and knowing what to do and what not to do.

    6 ways to lower your chances of biting the bait

    Here are some more ways you can secure your account and ensure that your details aren’t sold or distributed over the internet:

    1. Create a strong password

    Ideally, a strong password includes 14-16 characters minimum (letters, numbers, punctuation marks). A password generator from a reliable source like NordPass can also help create one for you.

    To keep your information extra secure, make sure to update all your passwords regularly.   

    1. Activate 2FA 

    Two-factor authentication is a feature that adds an extra layer of security to your account. It does this by asking for a code when logging in to a new device. You can either receive a code via SMS or generate unique ones with a third-party authentication app. Instagram recommends using either Duo mobile or Google Authenticator

    To get started go to Settings > Security > Two-factor authentication > Select Text message or Select Authentication app.

    1. Keep personal information to yourself

    Don’t give out any data to anyone – to be safe, that even includes friends or followers on Instagram.  

    1. Be wary of messages and emails 

    Any messages or emails that require you to re-enter your account details for whatever reason should always be carefully inspected. Make sure to check the legitimacy of every email at Settings > Security > Emails from Instagram. 

    If you do end up clicking on a link that redirects you to an Instagram login page, do not log in. Just to be safe, open instagram.com on a separate browser window and login through there or through your app. 

    1. Refrain from using  bots (auto-follow services) 

    We all want 1M followers, but it’s best to gain these followers and comments organically. So, I suggest staying away from using external services. It isn’t safe in terms of keeping your data secure. 

    1. Be careful when authorizing access

    Sometimes, apps that we use ask us to authorize access to our photos, contacts, microphone, etc. Whenever you receive these requests, double-check to see that it’s from an app you use and not some suspicious app or website.  

    Examples of phishing attacks on Instagram 

    Examples of phishing attacks on Instagram 

    Now that you’re prepared to spot phishing scams, let’s take a look at a couple of real-life examples. First, we have high-profile accounts that are ideal for hackers to promote many scam sites to a celebrity’s followers. Usually, a threat actor hacks the celebrity’s account without them knowing. Some common phishing tactics shown above are: 

    1. Shortened links in the account bio, which redirect users to a website with a survey asking for a person’s credentials.
    2. A separate post announcing a giveaway of gadgets.
    3. A URL link that requests users to download an app to receive a sex tape.

    Though these celebrities were all able to recover their accounts, there are cases where people lose access to them forever. For Bob Bentz, the president of a digital marketing agency, having direct contacts of the Facebook support team didn’t even help recover his account.

    "After 10 business days, I learned that they don't handle that type of thing."

    Here is another visual example of a phishing message that redirected users to a sketchy URL (instagrambluetick.ml):

    Users received a request to confirm personal information on their Instagram account to get a verified badge. We can immediately see it’s a scam by looking at the “not secure” URL and because it asks for your login details. 

    Trend Micro also reported that “once submitted, a badge notification appears, but for only four seconds. This is a trick to give users the impression that their profile has been verified.”

    Outsmarting hackers is easy – so, let’s start with the basics 

    Taking the first step to prevent Instagram phishing is simple. All you need to do is use strong passwords, regularly update them, activate 2FA on all your accounts, and check whether emails or messages are legitimate. 

    Educating yourself doesn’t take much – recovering from a successful attack does. I encourage you to learn more about hackers and their attacks below!