Instagram Influencer Accounts Are Being Hacked | Phishing Attacks

Social Media

Over the past several weeks, I have received numerous requests from victims of hacked Instagram accounts asking if I can assist with recovering their hacked account. The number of requests seems to be going up at a steady rate.

After doing a bit of research, I began to find post after post with Instagram users begging for help with recovering their accounts. There seem to be a major increase in the number of hacks especially around Instagram accounts. Why is this?

One word; phishing.

According to, phishing is

“to try to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization.”

What type of people get phished? The truth is, anyone. Phishing attacks can look like a security notice letting you know you need to sign in to your PayPal account to confirm activity, verify your bank information, and even click to view a document that appears to be from someone you might know.

In terms of Instagram hacks, users are getting emails that look to be either from Instagram or a trusted partner, asking them to click a link where they fill out their login information. From that point on, the hackers have complete control over the account.

Let’s walk through the entire process of how @flipflopwanderers was phished. Before we begin, we strongly encourage you to not do this at home. We would hate for you to be a victim of a phishing attack.

Screenshot from received this email, which appeared to be a legitimate partnership email. Realizing afterward that it was a phishing attack, they went back and checked the link, and sure enough, it was going to the hacker’s website.

After clicking on the link, they were taken to a page that looks identical to Instagram’s login page. Take a look at the URL, it’s obviously NOT Just to see what happened, we took it a step further and entered random login information into the fields, and then submitted the form.

It then redirected us to the page, making it feel very legit. The hacker now has the login information that I entered. He will now try that, and if it was valid, he would have access. Thankfully, it was just dummy information.

Enable two-factor authentication

First off, we recommend that you enable two factor authentication on your Instagram account. If you’re not sure how to do this, follow this link to learn how. While turning on two-factor authentication can help prevent someone from randomly accessing your account, it won’t always protect you from a hack.

Let’s say you get an email from what appears to be Google Drive saying that a colleague shared a file with you. When clicking on the link to see the file, it asks for your username and password. Little do you know that this email really isn’t from Google Drive, but actually from a hacker.

Without any question, you enter your login information. The hacker has his deceptive website setup so that the information entered into his site, will automatically enter directly into Google’s actual login form.

If you have two-factor authentication enabled, the hacker will then send the code, by requesting it directly from Google. The hacker’s website will then show a field where you can enter that two factor authentication code, just like Google. The code that you enter will then be taken and entered into Google. The hacker now has full access to your account and is considered verified.

Phishing attacks can look like a security notice letting you know you need to sign in to your PayPal account to confirm activity, verify your bank information, and even click to view a document that appears to be from someone you might know.

Believe it or not, these types of phishing attacks are happening every day, so always be on your guard, especially when you receive strange emails or texts.

Prevent and Protect

You might be saying, what can I do to protect my accounts and not be phished? Great question. Let’s take a look at several tips to preventing phishing and protecting all of your online accounts.

  • Check all links in emails before clicking on them. One way of doing this is to hover your mouse over it and then the actual URL will be displayed. If it looks suspicious, delete the message and move on.
  • Don’t rush at an email’s urgency. A lot of phishing emails will trick you into clicking a link saying that your account is on hold or will be shut down in a short time frame. Now sometimes, Facebook or Instagram will have a similar email that is legitimate, but without the urgency. Instead of following any links in these types of emails, go to the website that it appears the email is from and login to your account. If it is a valid email, you will most always have an alert in your account.
  • Ask yourself this question: ‘Is this message playing my emotions?’ Unfortunately, there are quite a few phishing attacks that play on your emotions, making you feel pity, or an emotional pull to click or enter your information, such as credit card details. Hackers can pose as an organization such as the American Red Cross or other nonprofit to convince you to make a donation, where they then steal your credit card information. If you decide to make a donation and you aren’t entirely sure about the validity of the email, go to the organization’s website and complete the donation there.
  • Don’t click on any links for emails that claim you won a free prize or that you need to update account information. 1. You won’t get emails with legitimate ‘free prizes’. It isn’t valid. 2. Organizations don’t generally email asking you to update account information.

Help, I’m a victim of a phishing attack

Knowing what to do after being involved in a phishing attack can be a challenge. Let’s go over a few things that might help you to either restore your account access or catch it fast enough.
  • If you JUST fell for a phishing attack, there is chance that you still be able to secure your account. Try to login to your account again and if you can access it, make sure to change your password immediately.
  • If you are reading this because your Instagram account has been hacked, there are few things that can help you recover your account
    • DO NOT create a new Instagram account. This alone makes it almost impossible to recover your account.
    • If you receive an email from someone claiming to be the hacker, don’t respond. Focus on getting in contact with Instagram. Include some of the email content in your contact with Instagram.
    • Locate your account – It’s almost guaranteed that the hacker will change the Instagram username (handle). Finding your account username after a hack can be the hardest part of this process.  One way of doing this is to have someone who was originally following your page see if they can locate the account. Most of the time, the profile photo will be changed along with the username.
    • Once you locate the account, contact Instagram and notify them that your account was hacked. You will need tofollow these steps from Instagram. Be sure to only communicate using the email address that was on your Instagram account.
    • After you fill out all of the requested information, Instagram will send an automated email asking for you to write down a verification code and then take a picture of you holding that paper. This is the way that they can verify that it is truly you who is trying to gain access to the account. Respond to Instagram’s email with the photo and also rewrite out all of the details. For example: ‘Attached is the verification photo. Thank you so much for your help with this. It means so much. My original Instagram username was ‘iloveicecream’ and my account was hacked. The hacker changed my username to ‘hacker’. I need to gain access to my account. Please change the email on the account to ‘ ’ so I can reset the password. Thank you so much.’
    • Continuously contacting Instagram is key. Instagram isn’t the fastest with getting responses, but if you keep at it and show appreciate and concern, most of the time you can get through. (Note: as many hackers are out of the country, Instagram may send their messages in a different language. Use an online translator to read it. Respond in English (or whatever language is easier for you) and don’t mention the differences in language.) Every two hours or so, respond to the most recent email from Instagram restating the overall story, and then ask them to change the email address and to ensure two factor authentication is disabled.
    • If Instagram responds and the response doesn’t give much hope, respond with the complete story of what happened and ask for Instagram to complete a specific step for you–be appreciative.
    • While getting a hacker involved isn’t recommended, some might see differently on this. While this might get access back, you risk facing account termination as it adds an additional layer of confusion for Instagram to sort out.

Phishing attacks happen everyday. Not only do they affect Instagram users, but almost any type of online account. As we’re talking account security, it’s important to set secure passwordsfor all of your online accounts as it can help with preventing a wide variety of hacks. When it comes to online security, take it seriously and take some time to study and implement security protection.

Still have questions about phishing or security? Let us know in the comments below.

Leave a Reply