Jump directly to the content
INSTASCAM

Warning over Instagram scam that lets hackers hijack your account – how to spot dodgy email

A NEW Instagram scam campaign is attempting to trick people into handing over their login details.

Hackers use phishing emails to send fake Instagram login alerts claiming that someone has tried to access the target's account.

Security researchers shared this (edited) photo of one of the scam messages. Obviously, the red "fake" sign does not appear in the real email...
4
Security researchers shared this (edited) photo of one of the scam messages. Obviously, the red "fake" sign does not appear in the real email...Credit: Sophos

The user is asked to click on a link in the message and plug in their login details to confirm their identity.

However, this simply hands your username and password to hackers who can then hijack your account and steal your personal details.

The new scam was uncovered by researcher Paul Ducklin from cyber security outfit .

"Social media passwords are valuable to crooks, because the innards of your social media accounts typically give away much more about you than the crooks could find out with regular searches," he said.

Clicking the link takes you to this very realistic fake sign up page for Instagram
4
Clicking the link takes you to this very realistic fake sign up page for InstagramCredit: Sophos

"Worse still, a crook who’s inside your social media account can use it to trick your friends and family, too, so you’re not just putting yourself at risk by losing control of the account.

"Indeed, we now see more phishing attacks that are going after email and social media passwords than we do attacks against online banking accounts.

Ducklin said the hoax emails are so convincing because they use fake two-factor authentication (2FA) codes.

These are the unique codes Instagram emails to you whenever you can't remember your login details.

Here's Instagram's real sign up page, for comparison
4
Here's Instagram's real sign up page, for comparisonCredit: Sophos

Describing the fake codes as a "neat touch", Ducklin said they're likely to fool victims into a false sense of security.

The malicious link that comes with the email is cleverly secured with a valid HTTPS certificate, and displays a green padlock on your browser – which normally indicates a site is safe.

It looks just like the Instagram signup page, and asks you to plug in your email, full name, username and password.

Fortunately, there are still telltale signs that give the fake page away, Ducklin said.

A NEW Instagram scam campaign is attempting to nick people's login details
4
A NEW Instagram scam campaign is attempting to nick people's login detailsCredit: PA:Press Association

The domain (that's the bit that ends ".co.uk" on British sites) is ".cf", meaning the site originates from the Central African Republic.

"If you click through, you ought to spot the phishiness from the domain name alone," Duckling said.

"If we had to guess, we’d suggest that the crooks didn’t get quite as believable a name as they wanted because they went for a free domain name.

"CF is one of many developing economies that gives away some domains for nothing in the hope of attracting users."

Instagram – the key facts

Here's what you need to know...

  • Instagram is a social network for sharing photos and videos
  • It was created back in October 2010 as an iPhone-exclusive app
  • A separate version for Android devices was released 18 months later
  • The app rose to popularity thanks to its filters system, which lets you quickly edit your photos with cool effects
  • When it first launched, users could only post square 1:1 ratio images, but that rule was changed in 2015
  • In 2012, Facebook bought Instagram for $1billion in cash and stock
  • In 2018, some analysts believe the app is worth closer to $100billion
  • In October 2015, Instagram confirmed that more than 40billion photos had been uploaded to the app
  • And in 2018, Instagram revealed that more than a billion people were using the app every month

In the fake email, there are also spelling errors and misplaced punctuation that give the scammers away, he added.

To protect yourself, avoid sign-in links in any emails sent to you – always go to the site directly to login.

Make sure you check the domain name for misspellings or strange domains. If it looks wrong, assume it is wrong and ignore it.

Lastly, if you think your account may be compromised, use that site's official channels for recovering it rather than relying on emails.

Fraud victim shown how his bank details were being given away for free as 'taster' on Telegram app

TOP STORIES IN TECH

Rise of deepfake 'porn' photos as Love Island star reveals how she was targeted
A.I HELL

Rise of deepfake 'porn' photos as Love Island star reveals how she was targeted

Urgent warning as Amazon recalls winter warmer gadget that 'may explode'
PRODUCT WARNING

Urgent warning as Amazon recalls winter warmer gadget that 'may explode'

World’s 1st human v robot MARATHON announced with bots pitted against 12k runners
USAIN BOT

World’s 1st human v robot MARATHON announced with bots pitted against 12k runners

Instagram fans slam 'dumb' changes & blame Zuck for being 'afraid' of TikTok
GRAM SLAMMED

Instagram fans slam 'dumb' changes & blame Zuck for being 'afraid' of TikTok

In other Instagram news, Facebook plans to merge Facebook, WhatsApp and Instagram into a single messaging service in future.

The app recently started letting users pick "close friends" – and it could cause huge rows.

Photos about a "post limit" asking you to comment are a complete hoax.

Have you spotted any Instagram scams lately? Let us know in the comments!

We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at [email protected]

Topics
YOU MIGHT LIKE
RECOMMENDED FOR YOU
MORE FOR YOU