Article Hero
Blog6 minutes read
November 25, 2023
  • telegram
  • facebook
  • twitter
  • github

Instagram Phishing on the Rise

Instagram's popularity cannot be denied. As of January 2023, Instagram had over two billion monthly active users. But with big numbers comes big-time scam attempts. With the amount of personal data shared and stored by social media platforms, they are a treasure trove of data and a playground for hackers and bad actors.

The number of Instagram-based phishing incidents has gone through the roof recently. Thanks to more remote working people are more isolated than ever, away from their friends, advisors, and sounding boards. That means they're more vulnerable to phishing than ever.

There are dozens of variations on Instagram phishing scams. Even the official support page admits that it's a problem. As it turns out, sometimes you can't even trust an apparent Instagram security Email that appears to be from a legitimate address such as security@mail.instagram.com.

A combination of well-forged source addresses, potentially shoddy internal security, and common visual text tricks should make any Instagram user think twice before clicking a link inside one of their support Emails.

In this article, we'll explain all of the recent trends in Instagram phishing, some of the most common ways to protect your Instagram account, and we'll also talk about a security and privacy utility that can help to make phishing Emails a thing of the past.


What Kind of Instagram Phishing Attempts Are Out There?

Without a doubt, the most common Instagram phishing attempt is via a forged Email. The user will receive a legitimate-looking Instagram security Email. The address of security@mail.instagram.com is emblazoned proudly in the 'From' field of the Email.

Or is it?

This is the first trick that scammers use. It's quick and dirty but passes visual inspection a lot of the time. Look at the characters 'r' and 'n' on the keyboard. When typed right next to each other, they look a lot like the letter 'm', don't they?

Let's say someone registered the domain 'instagrarn.com'. That's i-n-s-t-a-g-r-a-r-n. But if you look at it quickly, you might not even notice the difference if you're using certain fonts. Particularly if the contents of the Email look legit. This is the first phishing scam...

Domain lookalikes

By registering a domain that looks quite similar to a popular website, scammers attempt to trick the human mind into making a bad assumption. The supposedly official Email from Instagram is actually from 'Instagram'. And the links they sent are an attempt to capture your login information. So don't click.

In fact, that's the best advice possible: Never click on a password reset or account status link in E-mail unless you personally requested it from the site itself. Never trust an unsolicited E-mail, not even from support. Always go right to the source website by typing it into your browser's address bar manually, or by using the official app. Then trigger any password change or informational updates from there.

Email Spoofing

But let's say that the 'From' address on the Email is actually spelled correctly. You can check it letter by letter, and it certainly seems legitimate. It's spelled correctly, and you even might know that Instagram uses this exact address to send out security announcements.

Don't click that link. The source Email address quite possibly has been spoofed using a method called address forging or Email spoofing. This happens when an SMTP server allows a message relay from anyone who uses it, rather than protecting the service behind an Email authentication system such as DMARC. It's a lot more common than you might think.

So though the address looks real, and a reply will even go to that E-mail address, the link inside the E-mail is still bogus. It leads to a scamming site that will attempt to skim your Instagram account details. So once again: Never click on a link provided by a security account unless you personally requested it, always go right to the source website or app to perform all security functions.

Internal Fraud

The third option is a lot more sinister. As one might imagine, several people deal with Instagram's support and security. Hundreds, maybe thousands of agents have access to those E-mail addresses. Some of them can just send automated forms, unable to change the content of the Email itself. But others can edit the content of support and security Emails, and if they have an axe to grind with their boss or are just sick of their job… they could easily send out a phishing email.

This is called internal fraud, and hopefully, it is the least common of these three scenarios. The only defense against this is, you guessed it, never clicking those links embedded in the Instagram security Email itself, even if it really is from security@mail.instagram.com and is sent by a legit server. Instead of clicking the link, go right to the website or app and do all of your updates and security checks from there.

Validating Instagram's Communications

There's a simple way to see the legit Emails that Instagram has sent to your Inbox. This will tell you of any real, valid communications from support in the past couple of weeks.

From the app, click on the three lines in the upper right-hand corner of the screen. Then go to Settings, Security, Emails from Instagram. Or from the website, click on your profile menu and go to Settings, Security, Emails from Instagram.

This will list all of the valid correspondence from support and security. If it isn't listed there, the Email was probably a scam. There is also a tab for 'other' communications that you might have opted in to, and they too can be validated here.

Typical Contents of Instagram Phishing Emails

Up until recently, the most common phishing attempt being run was the account access scam. A series of Emails would inform the user that their account was supposedly being used from Ukraine, Brazil, and other spots all over the globe. Clicking on any of the 'This Wasn't Me' or abuse report links would take you to a web page that would try to scrape your Instagram details and personal information.

But in 2021, a new angle on the Instagram phishing Email came out. It disguises itself as a fake copyright violation notice. The Daily Mail spotted this trend, noticing that some users were getting warnings Emailed to them via the 'Instagram Copyright Help Centre'. Of course, the links inside of the Email were just more phishing attempts, trying to get users to fill out fake login screens and provide personal details so they could take over their accounts.

Another scam going around is a warning about phishing attacks and telling people that they need to change their passwords (with a fake link of course). It just doesn't get any more 'meta' than that.

Ways to Secure Your Instagram Account

While stopping phishing attacks isn't within your control, there are a few steps you can take that will help you not to fall victim to them.

Turn on Two Factor Authentication (2FA)

If you don't already have 2FA activated, then we recommend doing so immediately. 2FA means that for any kind of login or security change, the attacker would need access to your unlocked phone. You can pick text messages or Google Authenticator as your 2FA method. Either way, your account is a whole lot safer with it on, and the likelihood of someone getting into your account without stealing your phone is quite slim after you activate 2FA. Make sure you grab your recovery codes and keep them somewhere safe, just in case your mobile device is ever lost, stolen, or destroyed.

Don't use bots

Auto-followers, auto-follow-backs, and cross-platform social media followers are all potential security risks. There's just no reason to give a third party full control over how your account is managed or manipulated. External services, more often than not, are long-term scams that are waiting to gather tons of accounts, and then use them for their own nefarious purposes.

Never click emailed links

As mentioned before, go directly to the app or to the Instagram website to make any profile or security changes. Never click a link in an Email to get there.

Disable your activity status

All this does is give phishers more information that they can use to tailor their fake Emails. They can also use it to pick out your most vulnerable traits and target those within the Email.

Use a strong password

At least 12 characters, alphanumeric with special characters. Sounds too difficult to remember? That's what password managers are for. The best password managers not only act as a secure vault to store all your passwords, but they should also have a password generator.

Another secure password method relies on length. Instagram allows passwords in excess of 40 characters long. So you could literally use a long passphrase that you can easily remember, like: 'My best friend's mom is named Vanessa.' The sheer length, mixed characters, and punctuation make brute-forcing such a password nearly impossible, even if the hacker guessed some of the keywords or themes.

Long, human-memorable passphrases are becoming popular for people who don't use a password manager. But using the same passphrase across multiple sites is still a bad idea, in case one of them gets hacked. So what's the better solution?

Use email aliases

Use a privacy-focused email service provider that allows you to create additional alias email addresses. ProtonMail or Tutanota are two such examples. No Instagram phishing can get through if they don't have your real Email address.

Better Privacy and Security for Instagram

With the tips listed above, Instagram can be a much safer and more fun place. Don't sleep on your Internet security, and don't fall for those tired old phishing attempts. The hackers might be getting more sneaky, but the protection that is available is also getting more sophisticated. Stay safe out there.

Of course, Instagram isn't the only platform that scammers use to target victims. To stay protected, check out Using Paypal Without Falling for Paypal Phishing Scams.

Will R
Hoody Editorial Team

Will is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.

Latest


Blog
Timer7 minutes read

How the Government Hacks You, Final Chapter: IoT Hacks

Chapter 14: IoT Hacks

Will R
6 months ago
Blog
Timer9 minutes read

How the Government Hacks You, Chapter 13: GPS Tracking

Dive into the unsettling world of government-controlled GPS tracking!

Will R
6 months ago
Blog
Timer7 minutes read

How the Government Hacks You, Chapter 12: Garbage Day

Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies

Will R
7 months ago
Blog
Timer8 minutes read

How the Government Hacks You, Chapter 11: Resonance Attacks

It’s time to uncover how government surveillance gets personal.

Will R
7 months ago

Bulletproof privacy in one click

Discover the world's #1 privacy solution

  • Chrome Icon
  • Brave Icon
  • Edge Icon
  • Chromium Icon
  • Coming soon

    Firefox Icon
  • Coming soon

    Safari Icon
  • Coming soon

    Opera Icon

No name, no email, no credit card required

Create Key