A new Instagram scam seems to be going around, and it’s pretty serious. It’s a good old phishing scam, designed to look just like a message from Instagram. But the scammers behind it will hijack your account and ask for money to give it back to you – and it goes up to $40,000.
The scam is targeting accounts with a high follower count, many influencers being among them. So, if you, like me, have 200-ish people following you, you’re most likely safe. Still, a lot of photographers and filmmakers have tens or hundreds of thousands of followers, and they can easily become a target, too.
What does the Instagram scam look like?
It starts with a message notifying you that one of your photos was reported for copyright infringement:
“We recently received a report of a photo posted on your Instagram. An image of your album is reported to contain copyright content.
If no objection is made about the copyrighted work, we will need to remove your account. Please fill in the appeal form.”
There’s a “Go to Appeal Form” button below the message, inviting you to click on it. It contains a link that will take you to what seems an Instagram login page. If you enter your credentials – it’s done. The scammers have your username and password, which they will immediately change and ask you to pay them so they give your account back to you.
According to Secureworks, your new username will be a variation of “pharabenfarway,” and the scammers will add a line to your bio reading “this Instagram account is held to be sold back to its owner.” There will also be a shortened WhatsApp domain (wa.me) and a contact number. When you click on it, it opens a WhatsApp chat conversation with the scammers. Alternatively, the scammers might contact you via text message if your phone number was in your Instagram profile. In both cases, they will negotiate a ransom in exchange for access to the account. The same source notes that the scam first began in August 2021 and that the ransom can reach up to $40,000.
I’m honestly not even surprised to hear about yet another Instagram scam. I’ve seen so many of them, targeting profiles with giveaways, or just random profiles. Some of them cost users only $14 or so, but this one can turn out to be way more expensive. And the problem with scams like this is that, at the first sight, they seem totally legit. But if you’re extra careful, you can avoid even the most believable ones.
How can you avoid the Instagram scam?
There are a few ways to avoid falling for a scam. I’ve mentioned them a few times so far, but I think it’s not bad to include them all here again.
First, pay attention to the language. Scammers often use Google Translate for writing messages in English, and we all know Google translate is far from being flawless. Check for any weird mistakes, inconsistent sentences, etc. Even if you can’t point your finger at specific mistakes, if your guts tell you that something is wrong – it most likely is.
But what if the language is perfect? In that case, see who sent you a message. If you got an email, check whether it has an @instagram domain (for example, firstname.lastname@example.org). If it’s a Gmail, Hotmail, Yahoo, or any other random domain – just ignore it and report it as spam. However, in some cases, you can get an email that seems super-believable as it is seemingly sent from an Instagram email address. In that case, open your Instagram app, go to Settings > Security > Emails from Instagram. Only if the message is in there too, the email is legit.
In case you get a message on Instagram, check the profile it came from. If it’s a random person (usually with a private profile and very little or no followers), just report and block them.
If everything seems legit and you get a button or link to click on, if it asks for your login credentials – run, Forest, run! Instagram will ask for your credentials when downloading your data or changing your username and password. But Instagram will not ask for your username and password in messages.
Finally, Secureworks lists domains and IP addresses that may contain malicious content, so you should consider the risks before opening them in a browser.
I hope that I’ve covered all major ways for checking whether that “message from Instagram” is legit or just another scam. If not, feel free to add to this article, and stay extra safe out there.