Skip to main content

Hackers are taking over Instagram accounts using phishing attacks — how to protect yourself

Instagram app on iPhone
(Image credit: Shutterstock)

Whether you’re an aspiring social media influencer or a small business owner looking to build up your brand, Instagram can be a great way to help drive traffic to your business or website.

Just like on other online platforms, though, republishing content that isn’t yours without crediting the original creator can get you into trouble. In fact, Instagram users can easily report copyright violations through a variety of ways detailed in this support document (opens in new tab). If you repeatedly post content that infringes on someone else’s intellectual property rights, your Instagram account may be disabled or your Page can be removed under the company’s repeat infringer policy.

Since losing access to Instagram can be devastating for people who use the platform for business purposes, cybercriminals continue to target users and their accounts through phishing emails designed to steal their credentials and take over their accounts.

While that email in your inbox claiming to be from Instagram may appear legitimate at first glance, clicking on any links contained within it could put both you and your account at risk.

Example of a copyright violation scam

(Image credit: Sophos)

Over the years, cybercriminals have mastered the art of using copyright infringement notices as bait in their phishing campaigns

In these copyright violation scams, an attacker pretends to be from Instagram (or any other social network for that matter) and tries to scare users into taking action so that they don’t lose access to their account. 

These scams typically begin with an email saying that someone has lodged an official copyright complaint against you. From here, they provide you with an easy way to prove your innocence by providing a link to object to the complaint. 

In one recent example (opens in new tab) of a copyright violation scam from the email security company Armorblox, an attacker tried to instill a sense of urgency by saying that the recipient had 24 hours to verify their membership before their account was permanently deleted. This tactic is often used by cybercriminals to coerce users into clicking on links in their phishing emails.

Clicking on the link in question takes an Instagram user to an ‘Account Verification Form” where they’re asked to enter their username and password. As you’d expect, doing so allows the attackers behind this campaign to harvest their user credentials

They the criminals change the password and email address which prevents victims from recovering their accounts on their own. Instead, the attackers charge them to get their accounts back but just like with ransomware, paying a cybercriminal comes with no guarantee that they’ll actually do what they say they will.

Real-world consequences

Copyright violation scams can be especially difficult to recover from for small business owners that have turned to Instagram.

According to a report from ABC affiliate WFAA (opens in new tab), a physical therapist in the Dallas-Fort Worth area personally fell victim to a copyright violation scam earlier this year. Over the past two years, she had been using her Instagram page to help promote her practice to great success.

However, over the weekend, she received an email alerting her to a copyright problem with her page. Unfortunately, she clicked the link in the email and went ahead and input her credentials. Within three minutes, her password, email and phone number were changed and the attacker demanded $1,000 to give her back control of her Instagram account. As she was out of her element, she turned to an investigative firm for help but doing so angered the attacker and they increased the price to $10,000.

While the account in question was never recovered, there are several steps you can take to help safeguard your own Instagram account.

How to avoid falling victim to this phishing scam and others

computer monitor with an email graphic superimposed onscreen

(Image credit: Shutterstock)

To protect yourself from copyright violation scams and other phishing attempts, the cybersecurity firm Sophos recommends in a blog post that users never click on “helpful” links in emails. Instead you should go directly to a company’s webpage or use a reputable search engine to find the correct link.

At the same time, users should think before they click on any link as cybercriminals try to instill a sense of urgency and use your emotions against you in these kinds of attacks. If you’re worried about losing access to your account, you may click on a link and input your credentials without thinking twice.

Spelling errors and grammatical mistakes in emails as well as in web addresses are a major red flag. Cybercriminals frequently use brand images and logos to make their phishing emails appear more legitimate but they often make mistakes in the body of an email. Looking over every message you receive with a close eye will help you avoid falling victim to all manner of online scams.

Setting up two-factor authentication (2FA) for all of your online accounts can also help as an attacker won’t be able to login without the one-time code you receive. Meanwhile, a password manager can help ensure you’re using strong, complex passwords for all of your accounts while storing them securely.

Finally, if you see a suspicious message in your inbox, you should reach out to others to see if they’ve encountered something similar. While it’s best to do this in person, you can also do so online. You can also even reach out to a company's support team to see whether or not the notice is legitimate as well.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.