Instagram scam screens

Anatomy of an Instagram Account Hack

Our Instagram account was recently the target of an Instagram impersonation scammer. This is where an imposter creates an account that looks very similar to a legitimate account, in this instance ours, and then uses the fake account to target the followers of the account being impersonated. In this post we’ll share details about the scam, the interactions the scammer had with one of our followers and why, and the process we went through to get the impersonation account taken down.

In sharing our experience, our hope is that it will help others that find themselves in a similar situation. We also hope that by bringing attention to impersonation accounts, users will be better equipped to recognise and avoid these and other Instagram scams which are a constant threat, and a sad reflection on the world we live in.

The Instagram platform itself is considered to be secure and impervious to traditional hacking methods like brute force attacks. What this means is that hackers rely on us as users to unknowingly provide them with access. There are generally two ways in which hackers can gain access to accounts, through Instagram phishing messages or by taking advantage of Instagram’s in-built security functionality.

We’ll talk more about phishing attacks later in this post, but since the scammer in our particular case appeared to be running a login link scam, we’ll explain that first.

It all started with an Instagram impersonation account

As we mentioned previously, in our case, the scammer initiated their scam by setting up an impersonation account. The best way to explain an impersonation account is by way of example. Have a look at the two profiles below, on the left is ours and on the right is the scammer’s profile.

Instagram profile comparison

There are two important things to notice here. One is that the username of the scammer’s account is very close to our own so if you saw a message from the scammer and weren’t paying too much attention, you might be fooled into thinking it’s actually us contacting you.

But many of our followers did spot this which is where the second part of the scam profile comes into play. The scammer claims that our legitimate account has been hacked and that this new profile is in fact us starting a new account. Fortunately, most of our followers didn’t fall for this either, and a number of them got in touch with us, alerting us to the fact that this scam account had been created.

Unfortunately, not everyone was so cautious, and we watched in horror as more and more of our actual followers started to follow the scam account. What followed were many hours of frustration and an eye-opening experience that we’ll share with you here. But first, a few more words on the realities of impersonation on Instagram.

We’ll begin with the ‘good’ news if you can call it that. The reality is that while impersonation scams are happening on Instagram every day, the vast majority of accounts will not be targeted. That’s because scammers will more likely target accounts with larger follower counts. More followers means more opportunities to reach potential victims before the scam account is shut down. Unfortunately, at just short of 11,000 followers, our account was obviously big enough for this particular scammer.

We were of course horrified that this happened, not so much for ourselves as our actual account was never at risk, but more so for our followers who were subsequently targeted. And while we’re truly sorry that this happened, the fact is that there’s nothing we could have done to prevent it from happening.

That’s because as things stand right now, it seems that there is no way for Instagram to prevent the creation of impersonation accounts and deal with imposters proactively. While it might be possible to programmatically identify some potential impersonation accounts based on commonly used patterns, in all likelihood it would still require a human to review these accounts manually, and even then there might be legitimate use cases.

What this means is that given the sheer volume of accounts being created daily, Instagram has to rely on us as users to report impersonation accounts and only then can they deal with them. We’ll get to that part of the story a bit later but for now, the bottom line is yes, anyone can create an impersonation account on Instagram, do it in a way that is untraceable, and use that account for all manner of evil deeds.

What were the scammers trying to achieve?

Why do scammers create impersonation accounts on Instagram? Ultimately, like all criminal activities on the internet, it’s about money, but in our particular instance, impersonating our account was simply the first step in a chain of events that leads to someone somewhere losing money. Based on what we saw happening, it was clear that the scammer’s main objective was to try and hack into our followers’ Instagram accounts. Here’s how.

Having created the impersonation account and used some of our images to make the profile look semi-legitimate, they set about following our followers. The idea behind this is that our followers would see the new profile and, believing that our actual account had been hacked, start following the fake account. We saw this happening in real-time as both the Following and Followers count of the fake profile started to climb.

This happened very quickly as, in all likelihood, the scammer would have used any one of a number of Instagram automation tools to do the heavy lifting. The next step in the scam was to start an Instagram Direct Messaging conversation with anyone that followed the fake account. Unfortunately, for the more trusting of our followers, the conversation went something like this:

Instagram chat with scammer

As soon as the user above agreed to receive the ‘help link’, the scammer sent an Instagram login link to the user for the user’s own account! How, you ask? By using Instagram’s Forgotten password function.

Instagram forgotten password link

Under normal circumstances, this is a perfectly safe and secure way to gain access to your account if you forget your password. Clicking on the Forgotten password link on the Instagram login screen will take you to a login link form where you can enter your username or email address or mobile number and then choose how you’d like to receive the link, via email or phone text/sms.

Instagram trouble logging in screen

Assuming only you have access to that email address or that phone, only you will receive the link which, when clicked, will log you back in to Instagram where you would typically change your password so that you can login normally again in future.

However, as soon as you share that link with anyone else, you effectively give them access to your account and, depending on how that account is set up, they can change your details and lock you out. Pretty scary right!

The Instagram login link request form allows a user to enter any Username, not just their own, and send a login link to the mobile number associated with that account. Having found someone willing to help via the initial chat, the scammer would have used the Forgotten password function to send the user a text/sms message like this:

Instagram login link example

You’ll recall from the initial conversation that the scammer tells their victim not to click on the link. That’s not some form of reverse psychology, it really is of no use to them if you click on the link. But once you send them a screenshot of that link as they’ve asked, you’re essentially inviting them into your account. So is a hacked account the inevitable outcome of this? In the case of this particular user the answer is no and later in this post we’ll explain why and what you must do to protect yourself from these and other attacks. But first, let’s finish our side of the story.

Reporting and removing an Instagram impersonation account

As you would expect, as soon as we found out about the impersonation account, we immediately reported it to Instagram which, on the surface of it, is easy to do. Via the app, on an account’s profile page, there is a step-by-step process that allows you to report the account as impersonating you or someone you know.

Instagram reporting an account screen
Instagram reporting an account screen

It all seems very straightforward which is why, after having reported the account only a few hours after it was created, we were optimistic that this would soon be resolved. Unfortunately, that was not the case and we watched almost helplessly as a few hours became many hours, which became the next day without any response from Instagram.

At this point, the only thing we could do was wait and try to warn our followers about the scammer which we did via a story post. We also kept an eye on the impersonation account, and as soon as someone followed it, we sent them a DM, warning them about the scam.

The following day, being a Saturday, we went for what was supposed to be a leisurely walk and with patchy phone reception, we couldn’t do much to monitor our account. That was until we reached our 10km turnaround point which was when we received the following message:

Instagram account review message

Needless to say, what followed was much cursing, foot stomping and random kicking of things as our leisurely stroll home became a semi-jog.

On returning home, the first thing we did was read Instagram’s Community Guidelines which specifically states:

“Don’t impersonate others and don’t create accounts for the purpose of violating our guidelines or misleading others.”

In hindsight, it’s entirely likely that Instagram’s message was simply an initial automated response given that it was the weekend and that may in fact be part of the scammer’s process – to initiate these scams at the weekend when Instagram’s human review is limited or possibly even non-existent.

Regardless, Instagram’s response to our initial report was not helpful in any way and so after reading the Community Guidelines we did some more digging and found that the platform has a dedicated section in the Help Centre for Impersonation accounts. To be fair to Instagram, the information the Help Centre provided was clear and precise and directed us to an online form where we could again report the impersonation account, but this time with the added step of providing a proof of ID – basically a picture of me looking very grumpy while holding up my New Zealand drivers license.

Shortly after submitting the online form we received an email from support.facebook.com asking us to reply to the email with an attached photo holding a government-issued photo ID. There was also some additional guidance in the email which wasn’t on the original form as follows:

Make sure that the photo you send:

  • Includes both your hand that’s holding your ID and your entire face
  • Clearly shows your face in both the photo and the ID
  • Is well-lit, and is not too small, dark or blurry
  • Is attached to your reply as a JPEG file

We simply attached the photo we originally uploaded online and replied in the hope that this time, something would happen.

We never did receive a reply or followup response from Instagram, but at some point over the next 24 to 48 hours, the impersonation account vanished and we were finally rid of this no good scammer.

Our advice then, if you’re the target of an Instagram impersonation account scam, is that while there’s probably no harm in submitting a take down request via the Instagram app itself, you should as quickly as possible submit your report using the form in the Help Centre.

What is Instagram phishing and how do you report phishing on Instagram?

In order to gain access to user accounts, phishing on Instagram relies on the same principles as phishing on other platforms which is to trick you into entering your username and password into a form on a fake login page. These pages can look exactly like the real thing, with domain names that look very similar to a platform’s official domain, except that once you enter your details and press submit or login, the hackers will receive your login details. 

Links to these fake pages can be sent to victims in a number of ways but generally take the form of what appears to be an official message from the platform itself. For Instagram these include but are not limited to:

  • Copyright infringement notices that claim that you’ve posted content which violates somebody else’s copyright
  • Suspicious login activity or fake two-factor authentication messages which ask you to confirm whether or not you tried to login
  • Instagram verification messages that inform you that your account is eligible for a verified profile badge
  • Notifications about changes to account profile details or settings

All of these phishing messages are designed to alarm you and fool you into thinking that your account is at risk and could even be suspended or deleted. The hackers hope that in a panic you will click on the link provided and login to your account to resolve the issue.

The key here is to take a cautious approach to any messages and emails that you receive claiming to be from Instagram and if you have any doubt about an email, it’s well worth checking Instagram’s recent emails tool which provides details of all official Instagram emails sent to a user in the last 14 days. This tool can be found in the app and on Instagram online under settings, Emails from Instagram.

In terms of how to report phishing on Instagram, if you’re sent a phishing link via a DM, you can report the message and the account that sent the message via the app. However, when it comes to phishing emails, since these are generated outside of Instagram and are not associated with an Instagram account, there’s not much you can do to report them. That said, Instagram does suggest that you report strange emails to phish@instagram.com, but we wouldn’t expect to receive much of a personal response from that.

Can you regain access to a hacked Instagram account and how long does it take?

The short answer is yes, it is definitely possible to take back control of a hacked Instagram account and there are numerous case studies online that show this. However, the time and effort involved can vary significantly from case to case. We’ve read horror stories of users not having any luck when following Instagram’s official process and eventually, after several weeks and numerous attempts, having to find, through a contact of a contact, someone that actually works at Facebook.

Having said that, we spoke recently to a fellow New Zealand based photographer who had their account hacked and, with the help of Instagram/Facebook support online, managed to regain control of their account within around 48 hours.

Instagram’s Help Centre has an entire section dedicated to Hacked accounts, so if you think that your account has been hacked, reading this page should be your first step.

We also encourage you to read this very detailed post from a UK-based photographer whose account was hacked and held to ransom by Russian hackers. Reading this account certainly put our own experience into perspective for us.

What can you do to protect yourself and stay safe on Instagram?

So the first thing you can and absolutely must do is enable two-factor authentication. This page in the Instagram Help Centre explains exactly what this is and how to enable it. In addition, you should also make sure that you keep login request notifications enabled.

In the case of our follower who almost got caught out by this scam, it was these requests that initially alerted him to the attempted hack. Shortly after sending a screenshot of his login link to the scammer, he noticed some login requests from Israel which, given that he’s based in Christchurch New Zealand, were more than a little suspect.

Instagram login requests

Clicking on a notification allows you to approve or deny the login request. He obviously denied them and as a result, was able to avoid his account being hacked. Following this, he decided to have a little word with the scammer…

Instagram scammer chat

If nothing else, the scammer was committed to their gameplan right to the very end.

Besides enabling two-factor authentication, technically there is nothing else you can do apart from staying aware and being cautious about emails regarding your Instagram account and in particular, any direct messages claiming to be from Instagram. Instagram has officially stated on numerous occasions that they will never send users a DM.

All official user communications from Instagram are sent via email, and will also be visible in the Emails from Instagram tool we mentioned previously.

Also be mindful of the fact that hackers can gain access to the account of someone you know or follow and contact you as that person so if something looks suspicious or seems too good to be true, don’t be afraid to question it.

Then of course there’s basic online security best practice which applies everywhere, not just Instagram and that includes things like:

  • Creating strong passwords and never using the same password on different services
  • Never sharing your personal details and particularly your login details with someone you don’t know and trust
  • Restricting third-party access to your social media accounts
  • Backup, backup and backup again

We do hope that you found this post to be an interesting read and if it’s helped you to feel more secure on Instagram, or even avoid a scam or hack yourself, then so much the better.

Stay safe out there.

Leave a Reply

Your email address will not be published.