There have been many reports of people getting phishing emails that appear to be from Instagram, offering a tempting opportunity to be verified under a new Meta Verification system.
Be careful if you see one, because these fake emails will cause you a lot of problems.
What is a Phishing email?
A phishing email is a type of scam email designed to trick you into revealing sensitive information, such as passwords. The email usually tries to look legit, using your bank or social media logo, but in reality, it’s from a scammer.
The email will contain a link to what looks like your normal login form, but it’s really a fake that will send your password straight to the attacker.
This is very common, and can be very damaging.
Phishing is a play on fishing, because they send out their bait and wait for a fish to bite.
What does a phishing email look like?
This Instagram Verification idea is currently a very popular one.
Let’s look at an example of this email, so you know what to watch out for. Some scam emails are very obvious, but some make more effort.
They use the logos & branding of a real business, and can look pretty convincing at first glance.
The headers of the email might use your actual email address, and your actual Instagram handle. But you’ll see the email did not come from Instagram.com, but from a domain that only looks similar. This is a common tactic by these spammers.
You might also notice that the email address you received this at, is not the same email that you signed up to Instagram with. You might use a Gmail address to sign up for Instagram, and then receive this email sent to your work email address, which they found because it was public somewhere.
That’s another red flag.
The email contains links or buttons inviting you to get verified, again using your Instagram handle to put you at ease.
But the link does not take you to Instagram – only to an “Instagram Support” type of page, which will be the fake page that will steal your password.
It’s very common for scammers to use a similar domain to try to fool you, so always check that when you click links in emails.
Down at the bottom of the email, again it states your email address & Instagram handle. But the links to unsubscribe or remove your address take you to the fake phishing page again.
So what happens if they trick you?
The attacker will have your password as soon as you fill out their phishing form. At that point, it won’t take long.
The attacker might be using automated tools to speed this up, so it all happens in minutes.
The attacker will log into your Instagram account – you’ll get an email from Instagram about a strange login.
If you see that fast enough, you can act quickly to reset your password, but you don’t have long.
Once they’re in, they’ll change the password to lock you out. Then they’ll change the contact information on the account (email, phone, etc) to make it harder for you to get back in. They might even change your Instagram handle, so that your old Instagram profile link doesn’t work anymore.
At this point, it’s not your account more – they have full control. They might start sending messages to your followers, trying to tempt them into some other scam, or just start posting offensive content or misinformation.
They might send you a ransom demand – pay us $500 USD if you want your account back!
What can you to avoid this?
Look closely at the email before clicking any links. Check the email address it came from. If you hover your mouse over the links, your computer/device might show you were the link will take you. If it’s a similar-but-not-real domain to what you expected, that’s a big red flag.
If you aren’t sure, go to the website by typing in the address, instead of clicking any links in the email.
Use strong, unique passwords. If an attacker steals your Instagram password, and you use the same password for gmail account, then guess what will happen next? Try to use a unique password for everything, never re-using the same password. Consider using a password manager (like Bitwarden) to keep track of all your different passwords for you.
Use two-factor authentication if available. That’s when you set up your phone number so the website sends you a code before you can log in, to make sure your phone is present. That means that even if someone steals your username and password, they still can’t get in without the code. (Most modern sites will let you use an authentication app instead of a phone & text message, because that’s even more secure.)
Be vigilant, and be suspicious of every email.
The worst bit – don’t expect any help from Instagram
The worst bit of these scams is this – the support from Instagram is so terrible, you’re next to no chance of recovering your account. Ever.
Stay safe out there!