BruCERT has received an alarming number of reports from users whose Instagram account has been taken over, with a demand for ransom to be paid in order to regain access to their account. The main targets are Instagram business accounts or personal accounts with many followers and their contact number in their profile.
First, the user receives a WhatsApp message from a foreign number claiming to be from Instagram, informing them of copyright infringement complaints from other Instagram users. The message also contains a link to an Objection Form, where the user is required to provide their business Instagram username and password. After submitting their credentials, the user’s Instagram account will be compromised, and they will be asked to pay a ransom.
Research shows that users who have not enabled two-factor authentication are unlikely to regain control of their account
- The user loses access to their Instagram account.
- The scammer will then use the account for impersonation or blackmailing.
- Financial loss if ransom is paid
- Enable two-step verification for social media, email, and other important accounts.
- Click links with caution. Social media accounts are regularly hacked. Never click on any links received from an unknown sender.
- When receiving an unexpected message, take some time to think about the legitimacy of the message. Look out for language or content that does not sound right. Notices from Instagram would most likely be sent as a notification through Instagram or email, not WhatsApp.
- Keep an eye on your Instagram login activity and monitor the list of devices currently logged into your account.
Settings > Security > Login Activity
- Be aware of fake Instagram notifications. Instagram has a helpful feature called “Emails from Instagram” that lets you see any communications the company sends to you. Use this feature every time you think someone is trying to get into your account by sending you emails pretending to be from Instagram.
Settings > Security > Emails from Instagram
- If your credentials have been compromised, reset your password. Create a strong password with a minimum of 10 characters and a combination of letters, numbers, and special characters, or use a passphrase. Change your password every 3-6 months.
- Use a different password for each of your accounts.
- Limit the sharing of personal information (e.g., full name, birthdate, address, phone number) on social media as an attacker can take advantage of your personal details.
- Take time to browse all the privacy settings and control who can see your profile, past posts, and future posts. Make sure your phone number and email address are hidden from public view.
- Familiarize yourself with the privacy policies of the social media channels you use.
- Protect your computer and devices by installing antivirus software and set it to update automatically.