It's not only popular Instagram accounts that interest scammers. Every account, no matter how many followers it has, can be sold and abused.
I've been receiving strange emails over the last several months. “Sorry to hear you're having trouble with logging in to Instagram. We can help you get straight back into your account," the email kindly informed me.
The thing is, I had zero problems logging in. It's been a while since the last time I needed to log in at all, as I am no stranger to a bit of mindless Instagram-scrolling.
In theory, scammers could be able to access legitimate Instagram emails if they have the credentials of someone with access,Aliza Vigderman.
With a volume of phishing attacks growing at a breakneck pace, any active internet dweller is bound to receive at least one shady email eventually. Since email spoofing – impersonating a legitimate email address – is among the most common tactics scammers use, I focused on the sender's email address, [email protected]
There were no grammar mistakes, unnecessary dots, commas, or o's swapped with zeros. After further checks, I found out that it was a legitimate Instagram email, as the official company email addresses end with @mail.instagram.com.
However, according to Aliza Vigderman, an industry analyst at the digital security company Security.org, that doesn't necessarily mean that the email is really sent by the company the email claims to represent.
“In theory, scammers could be able to access legitimate Instagram emails if they have the credentials of someone with access,” Vigderman explained to me in an email. “However, it's unlikely, as Instagram has many security measures in place.”
Having written about many different ways scammers try to steal credentials, I thoroughly checked every nook and cranny in the supposed Instagram email. It's not necessary to take a leap of faith and to actually click the links. Most email providers allow you to see the link by hovering your mouse on top of it.
To my surprise, every single link in the email seemed to be harmless, all links were legitimate, redirecting to a legitimate Instagram customer service page.
After resorting to searching on Google, I found out that strangers on Reddit have been baffled by Instagram emails about failed login attempts that never were, too. There I learned that Instagram actually offers a way to find out whether the company delivered the email.
As it turns out, there's a list of recent emails Instagram sent listed on its app. Unfortunately for me, however, only emails sent within the last 14 days are shown, and I was way past that deadline.
Given the email was real, there was only one option left – someone tried to brute-force their way into my account. Having only a few hundred followers, I would have never thought anyone would be interested in such a low-profile target.
While it's quite obvious why taking over a high-profile account might interest malicious actors, be it for public damage or extortion, it's less so for accounts that wouldn't be considered valuable.
Interestingly, scammers targeting low-key accounts might signify that tools social media corporations use against fake accounts are working just fine.
“Teams behind popular social media platforms have become so successful at identifying, removing, and preventing the creation of fake accounts, it has become easier on the criminal to just take over real user accounts rather than generate and maintain their own new, fake ones,” Olivia Fryt, a Security research engineer at SpyCloud explained.
One way to abuse a hacked account is by sending spam or malicious links to unsuspecting friends in your account. There's a greater probability that someone you know will click on a link sent by you rather than an unknown account.
According to Tonia Dudley, a Strategic advisor at phishing and detection company Cofense, once an account is breached, a threat actor might use it for various reasons, from embarking on a romance scam to corporate espionage.
Hackers sometimes use the "reset password" functionality on sites like Instagram to validate if email addresses of interest are actually legitimate and if an account associated with the email address is in existence on the site,Olivia Fryt.
“A threat actor that is targeting an organization to make their way into the enterprise network may use several social media platforms to gain insight into potential targets. By following targets on their personal social media accounts, they can start up a conversation using cues gained from posts,” Dudley told CyberNews.
Another reason a malicious actor might try to hack into an account is to validate whether email addresses in a data breach are real and, thus, exploitable.
“Hackers sometimes use the "reset password" functionality on sites like Instagram to validate if email addresses of interest are actually legitimate and if an account associated with the email address is in existence on the site. They can use this information to gain a clearer picture of a potential victim's attack surface and decipher their next steps of attack,” Fryt told me.
While it's highly unlikely scammers will retire phishing attacks any time soon, there are ways to protect against attempts to breach your account. The first action everybody needs to take is enabling multi-factor authentication (MFA) or, at the very least, two-factor authentication (2FA).
There are strong incentives to do that, as experts claim that MFA can increase the level of security by a staggering 99%. That is likely the reason why attempts to break into my Instagram account have been unsuccessful.
Creating an account-specific strong password is equally essential. Having different passwords makes it a lot harder for malicious actors to penetrate your defenses in case of a data leak. If you're reusing the same password for several accounts, it can take a single data leak to compromise large parts of your online presence.
“Create unique usernames and passwords for each account. While this can be a daunting task with the number of accounts we use in our internet engagements, start at a minimum with your social media, email, and bank accounts,” Dudley suggests.
There is a multitude of problems in trying to catch people responsible or getting back the stolen account. Michael Jeffcoat, legal consultant and attorney-at-law who's represented multiple clients on online privacy issues, says it's best to beef up security before it's too late.
“If you find yourself at the mercy of a phishing scam, reach out to Instagram right away. Relentlessly call and email them to ensure that their team takes action as swiftly as possible. Remember: time is of the essence. You need to recover your account before cybercriminals sell your profile for untraceable cryptocurrencies,” Jeffcoat told me.
More from CyberNews:
Subscribe to our newsletter