Instagram Users Targeted With Most Realistic Phishing Scam To Date

August 30, 2019

Oh Instagram. How we love you, but so do the scammers and phishers. Researchers at Sophos have come across another scam targeting Insta-users that is so realistic, it’s difficult to determine that it merely another scam out, not to post that perfect Insta-photo, but to get those sign in credentials. There is good news however: There are definitive mistakes that clearly indicate it’s a fake and below are some specific details to help you spot it right away.

The ruse tries to get the email recipient to click a link with a two-factor authentication (2FA) code in it. It claims that the user needs to enter that code when logging in to prove identity, because there has supposedly been an unauthorized login to the account. If it’s clicked, it goes to a fake Instagram login page. The Sophos researchers found that it is far more believable than the standard phishing email messages discovered so far.


But there are errors, as is almost always the case with phishing email messages. First, the URL. It ends in “.cf,” which is from the Central African Republic. Instagram’s domain should end in “.com.” This is a good reminder of why you should always double and even triple check the URL before entering any login credentials. Typosquatting—when a website domain name is slightly changed to look like a legitimate one—is on the rise, and those that partake in it are getting craftier all the time. If you’re entering your financial institution’s website, for example, be 100% sure it’s the real one. It’s always best to bookmark it when you know it’s the correct one and use that every time.

There are typos and punctuation errors too. Look for those. This is a standard clue that an email message is phishing.

In addition, on the real Instagram login page, there is a button to use your Facebook login for Instagram. That is missing on the fake page.

Good advice is never to click links that arrive in email messages you are not expecting. Even if it claims there was an unauthorized login to your account, don’t click it. Login to the site the way you typically do (using a bookmark or the app, for instance) and check any notifications there. This is especially important if you need to confirm your account information or change your password.

Unfortunately, looking for the padlock and “https:” for the security certificate won’t work on this one. The scammers have actually used a security certificate and the padlock is there. While you should never enter your login credentials in a website that does not have the padlock, these days you can’t always consider that a tell tale sign of a safe site either. You have to be on top of the current and evolving threats and make use of your sixth sense. If it’s triggered, listen.

Stickley on Security
Published August 26, 2019