Your friend who knows nothing about cryptocurrency is posting suspiciously worded missives about how to get Bitcoin-rich, and your DMs are filled with strange links from people you never talk to. Odds are, if you get curious enough to click these links or interact with the bizarre messages, you may be the next victim of an Instagram account hack.
A 2017 study from Google and the University of California, Berkeley, found that 15% of internet users had dealt with a social media or email account hack, and Norton’s 2021 Cyber Safety Insights Report found that with 73% of Americans spending more time online than in previous years, nearly half of respondents felt like they were more vulnerable to cybercrime since 2020 started. Cybersecurity expert Kristina Podnar says that Instagram, in particular, has become a platform of choice for hackers because people engage with friends on the app and are trusting of links and messages sent through DMs. (Think about how if a friend sent you a weird link on Facebook, you would be less likely to click it.)
“Coupled with the lack of broad understanding about emerging digital technologies such as Bitcoin [which is referenced in a lot of newer scams], it is easy to get people to click on links and thus it is a hot target for scammers,” Podnar adds. (Representatives from Meta, the company that owns Facebook and Instagram, declined to comment for this article.)
What Happens If You Get Hacked On Instagram
In October, Cici*, 30, a Montréal-based graphic designer, fell for an Instagram phishing scheme that not only lead to them getting hacked, but losing control of their account permanently. “Someone I know DMed me and said ‘Hey! I need your help. Can you help me? I need to activate my new account but I need a friend to send me a link,’ so I agreed and gave them my phone number.” Using their phone number, the hacker, who had posed as Cici’s friend, tapped the Forgot Password button on the Instagram login page, which triggers a link to be sent to the number. Not knowing what the link was, Cici forwarded it to the “friend,” which ultimately gave the hacker full control over the account. The hacker changed the password, started posting about how to make money with Bitcoin, and got to work trying to scam Cici’s friends, too.
For Rachel*, 34, a teacher, what started out as a similar verification link scam turned into a demand for ransom. “The hacker not only changed my passwords, but started extorting me.” The hacked found her on Twitter and DMed her to say that if she sent $100, they would give her the account back. Then, they raised the price. Rachel ended up sending over $500 without getting access to her Instagram.
Per Instagram’s Hacked Accounts Help Center, there are a few safeguards against hacking in place. First, the app will send you an email from firstname.lastname@example.org if your login information is changed to confirm it was you who made the changes. If you tap the link, it will revert the changes and give you a chance to change your password and block the hacker back out. The problem, according to Cici, is that the link expires. “I was at work when the email came through and by the time I clicked it, it was too late.”
If that doesn’t work, you can report the hack to Instagram by requesting support. On the Instagram login link page, tap “Need more help” (under “Send Login Link”) and follow the on-screen instructions. If your account doesn’t have any photos of you on it, Meta will send an email asking for information to verify that you own the account. If your account does feature photos of you, the second recovery option Instagram offers is an identity verification video — you record your face from multiple angles to prove who you are to the support team. Cici says, however, that Instagram didn’t accept the video selfie as proof of their identity, and they’ve given up on recovering their account altogether.
Why would scammers bother with your Instagram page in the first place, especially if you don’t have a big following? Podnar says to think of it as modern identity theft. “The Instagram account is a gateway to mining other types of data and broadening the scam.” Once a victim clicks a scam link, the hacker locks them out of the accounts by changing the recovery email and then starts leveraging the account to log in to other platforms — from your Instagram, they might hack your Facebook, then get perhaps enough information to get into your email. According to Podnar, having control over established social media profiles can be valuable for data, in addition to the money the hackers can get off holding the accounts for ransom.
Unfortunately, if your account gets hacked, there’s no easy fix to get it back — though heading to the mobile site and letting Instagram know you’ve been hacked is a good place to start. The best protection is to prevent a hack from happening in the first place. Here’s how to increase your security, back up your data, and stay alert.
Update Your Password & Increase Its Strength
In order to minimize the risk of a guessing or snowballing hack, which is when a hacker can log into multiple accounts with the same information, change your passwords regularly, and opt for complicated ones. Podnar recommends investing in a password management tool — she likes Lastpass — to help you keep track of them. These tools can also let you know if your data is breached so you can hop on and change your password. If you can’t think of a new password (and you’re an iOS user), you can use Apple’s autogenerated strong passwords, which are stored to your Keychain for safe keeping. To be extra careful, make sure that your passwords on different apps are not similar and don’t include biographical information.
Use Two-Factor Identification
Two-factor identification — when your apps send you a text message with a code or a third-party link every time you log on to verify that it’s actually you — can be annoying, but Instagram offers it for a reason. “It is an easy security move that most people don’t use nearly enough,” Podnar says. To enable two-factor identification, go to your Security Settings.
Delete Apps You’re Not Using
When your membership to an app is active, the information linked to it is live, and can potentially be used by hackers to gain access to other accounts. If you haven’t used your gym’s app in a few years, there’s no reason to maintain a presence there — especially if you used that same password for all your other apps. Podnar suggests going through all of your apps and permanently deleting the accounts you don’t use anymore, especially apps you log on to using your Facebook or Gmail account. “Online security decreases with each cross-account link we create, so this is an easy way to decrease your online risk.” You have to go into each platforms settings to delete your account, too; don’t just delete the app off your home screen.
Check Your Recovery Settings
When you set up Instagram 10 years ago, you might have selected an email you no longer use or have access to. If you’ve never had to recover an account or reset a password, you might not even know what default email you have listed. Check all of the email accounts your social media accounts are connected to and make sure they are up to date and accessible.
Back Your Instagram Up
While you likely can’t get the messages and interactions back from an account that’s been stolen, having a backup of your Instagram posts will lessen the blow of a permanent hack. “That way, if your account is hacked and held for ransom, or if you can’t recover your account, you still have access to your important information and can request that your old account be deleted without losing those cherished memories,” Podnar says. To back up your Instagram data, head to the mobile site, tap Privacy and Security, View Account Data, Request Download, and then Download. You’ll be prompted to enter your password and then get a notification that the data will arrive in your associated email inbox when it’s ready.
Most platforms, including Instagram, are good about notifying you about suspicious activities on your account. That said, scammers can also use fake notifications to trick users into clicking links and falling into hacks. Whenever you get a safety email from an app, check the address and make sure it’s official before clicking any links — it should be from an @instagram.com address. The app will never DM you with an issue. If you got an email from Instagram and aren’t sure if it’s legit, tap Settings, Security, and then Emails From Instagram. If the email was real, it will be there for 14 days after it’s sent.
If you notice weird activity on your account — like photos you didn’t post, messages you didn’t send, or any changes to your bio — Podnar says to immediately change your password and force a log out of all devices on which your account is logged in. On Instagram, you can head to Security, and then Login Activity to see if anyone has used your account from a different location. To log out, head back to Security and just tap Log out.
If you miss that short window of time to change your passwords and log out, Podnar says it might be too late. “I’ve never heard of anyone having a good experience with this process,” she says, referring to recovering a hacked account. “It’s is easier to be proactive and not put yourself in the position that leads to having to deal with it in the first place.”
*Name has been changed for privacy.