Spoofing attacks on Instagram

Little Red Riding Hood. We all know the story, right?

Innocent little girl gets fooled by a wolf into thinking that her granny is lying in bed, sick. Meanwhile, said wolf has actually eaten the granny, and lying in wait (in the granny’s clothes) for the girl to visit.

This is a spoof attack – albeit a simplistic one.

And this type of attack occurs on- and off-line.

I’ve become aware this past week of a number of bloggers and social media influencers falling victim to spoof attacks, all of a similar nature, which has culminated in them being blackmailed for up to £3000 or losing access to their prized Instagram accounts.

Some of you may be wondering what the “big deal” about losing access to your Instagram is. For many, it won’t make much difference – may be losing access to a couple of hundred photographs.

For others, it’s their last five years (and more) work; it’s building an audience, a clan, that buys their products or courses.

We, of course, also know that some big companies pump some big money into marketing on these platforms with these influencers as their billboard.

So yes, it’s a big deal.

The scam, though, is relatively simplistic.

It starts with the target receiving an email offering the opportunity to collaborate with a well-known brand. Cleverly, the email links to the brands Instagram page – but doesn’t actively encourage you to visit Instagram. Instead, it links to the “company’s store” – with their Instagram URL as the text.

(for the sake of those searching their preferred search engine to find out more, I’ve included the email below):


I am creative and ad manager from @instagram-username. I’ve been following your blog since 2017.

I show your recent post to creative director of @instagram-username . Your recent post really resonated with me and my team, and we have an offer to you. We thought it was something our (@instagram-username) audience would appreciate, so we want to buy advertisement on your page with photo in our outfit and with mark of our brand.

Our outfits for advertisement you can find here: [instagram URL here, with a link]

I wanted to get in touch with you to discuss details of collaboration that would bring value to both our audience.

Creative and AD manager (@instagram-username)
ProSMM Team, New York

Once you click the link, you land on the Instagram login page.

The 'Instagram' login screen
The login screen presented after clicking the link in the email

Enter your login details to access the company’s Instagram profile and, sure enough, you get redirected to the company’s profile – verified, thousands of followers, thousands of photos, all legitimate.

But, let’s back up a bit. Where’s the hack? I’ll give you 10 seconds.

Worked it out, yet?

No, not some dodgy software downloaded in the background. Nor is it cookies-related.

The Instagram login page you enter your details into isn’t actually an Instagram login page.

The fake Instagram login page
Check the address bar – that doesn’t look like Instagram.com

It’s spoofed. It’s a fake.

The real Instagram login page
The real Instagram login screen

Entering your login details actually sends them directly to the hackers. Your username and password stored with them forever. They probably get alerted, too, that someone else has fallen for their trick and – whilst you browse the profile you landed on – they quickly log in to your account and change your password and email address.

So simple, right?

Shortly afterwards, you’ll receive an email stating they’ve taken control of your Instagram; you can’t request a forgotten password email – because they’ve changed the email address on the account. But you can get the account back for however-much-they-want – or face having the whole account deleted.

For added pressure, they throw in a time-limit too.

Meanwhile, they’re probably probing Facebook, Twitter, your website and countless other websites and services with your username, email address and password you just handed them to see if they work over there, too, because over half of internet users surveyed in 2018 admitted to using the same password for all of their accounts.

Don’t become a victim.

  1. Don’t use the same password for every account you have. Use a password manager like LastPass to generate and store your passwords securely. Using something like LastPass means that you only need to remember one password (the master), and implementing 2-factor authentication too means that you make it virtually impossible for anyone to access your accounts.
  2. Check the email sender address. If they’re claiming to be from company XYZ, their email address is likely to be [email protected] – not [email protected] or similar. Also, does the “name” of the email sender match the name they use in the actual email content, either when introducing themselves or bidding farewell?
  3. Unless you were expecting an email or SMS with a link included, don’t click on the link without checking it out first! Right-click on the link and choose “open in incognito window” or “open in private tab”, then check the URL in the address bar. Does the address match where you were expected to go?
  4. If you aren’t sure about a link in an email, type the website address in yourself manually.
  5. Before entering a password or username, check the website address bar for a padlock and/or “https://”. This means the connection is secure, making it more difficult for criminals to intercept the information.

If you aren’t sure, don’t click or enter details. It’s OK to leave it and ask for advice from a family member, friend or associate.

Fallen victim to a spoof attack? Contact the website’s support team immediately and, where appropriate, the police or Action Fraud (for example, where financial transactions have occurred).

Read More