According to a recent Kaspersky report, a new phishing scam targeting popular Instagram accounts is on the rise. The report explains how hackers impersonate Instagram and try to gain access to accounts by providing users with fake emails.
First of all, hackers send a fake email to users saying that their account has received a copyright infringement notice.
“Your account will be permanently deleted for copyright infringement,” claims a fake email sent from a fake Instagram support.
Surprisingly, it seems legitimate at first. But if you take a closer look at the sender's email address, you will notice @theinstagram.com domain name. Check out the screenshot below:
All these fake emails contain a link that points to a malicious, phishing page hosted on a third-party server. But we will come to that later.
It says you have just 24 hours to appeal and provides a “Review complaint” button. In some cases, it provides a "Verify account" button. If you click it, you will end up on a phishing page that offers users a link to “Appeal.” As for some more trickery, it offers a long list of language choices but that doesn't work since the page only remains in English.
It will then ask you to submit your username and password login credentials. To make the whole thing look even more legitimate, it will show a message "We will review your feedback" after you submit your credentials. Users will then be redirected to the official Instagram website.
The moment you submit your Instagram login credentials, your account is compromised since the attacker already has your Instagram username and password credentials - the ones you entered already.
However, the Kaspersky report raises a very important question: How does an attacker know about the email address associated with a particular Instagram account? We have reached out to Instagram for a comment on this story.
1. Pay attention to suspicious links
Always be careful about the links you open on your browser. If you find anything suspicious, don't click. The backbone of these phishing scams is a little bit of trickery to make users fall for such fraudulent schemes and malicious pages impersonating the real ones.
2. Make use of official apps
Make sure you download or update Instagram through official channels (Google Play Store for Android and App Store for iOS).
3. Be careful about verification
Simply refrain from entering your account login credentials for authentication and verifications purposes on third-party apps and services.