Instagram is a very popular social network, so it's logical that Instagram phishing is equally popular. According to a study published by Hootsuite and We Are Social, Instagram is the 5th most downloaded application with 1.221 billion active users. The study also shows a 63.6% increase in Instagram users aged 55 to 64. Instagram is therefore continuing to grow among an increasingly diverse demographic.
Instagram is based on the publication of highly visual content - photos or videos - as well as instant messaging. Like any social network, hackers can exploit both the communication systems available within the Instagram application and gain access through more conventional phishing strategies such as credential harvesting.
In this article, we will address the impacts of such an attack, the scenarios in which they can occur, and how to protect yourself.
Impact of hacking an Instagram account:
Whether you are an individual or a business, there are numerous consequences to hacking an Instagram account. From the disclosure of confidential information to damage to your brand image, compromising your Instagram account can have serious consequences.
Access to your private messages is an immediate consequence of hacking your Instagram account. By gaining access to your Instagram account, you risk having your private data stolen through your conversations.
If you exchange confidential information through this messaging system, for example, during customer support conversations or sensitive communications with partners or influencers, you risk having this information exposed or exploited to your detriment.
Identity theft and escalation:
By having access to your messages, the hacker can impersonate your identity to manipulate and hack the people you communicate with. Your image and your relationship with these people, as well as their security, will be impacted.
If you are used to exchanging messages through Instagram's messaging system, messages impersonating your identity will be more difficult to identify. These messages will be scattered among the list of conversations with your contacts, making them less detectable.
Another significant risk is unauthorized publication: a hacker with access to your account can publish on your behalf and directly reach your entire audience.
If you have an advertising budget on the platform, the hacker will even have the ability to boost the publication. They can promote it to a wider audience, increasing its exposure. Your reputation can be damaged and therefore have a significant impact on your business.
In 2013, Burger King had its Twitter account hacked by hackers supporting competitor McDonald's. The hackers changed the profile picture and description to spread fake news about "Burger King being bought by McDonald's due to the flop of the Whopper."
Another example in 2015, a group of hackers called "CyberCaliphate" hacked the Twitter account of the US Central Command to post a message saying, "American soldiers, we are coming, watch your back, ISIS" before the US suspended the account.
With an advertising budget associated with the platform, the impact is also financial. The hacker will have the ability to exploit the advertiser's account and use your funds for malicious purposes.
They will also have access to billing information used for advertising and can use it against you after the attack. The hacker will thus find it easier to impersonate your identity.
Examples of Instagram phishing scenarios:
There are many phishing scenarios that can lead to the theft of Instagram accounts. Here are four examples, but remember that hackers are creative and new pretexts are devised every day.
An example of a scenario that is often exploited in phishing simulations is the security alert. In this attack, you receive an email indicating a new login to your account from "Android by Igor," accompanied by a link to verify the login. Assuming you are not named Igor and you own an iPhone, the message is quite disturbing. The link redirects you to a fake page that looks exactly like the Instagram login page in order to steal your credentials.
Copyright violation alert:
In this scenario, the targeted individual receives a notification from a fake Instagram help center. It indicates a complaint for copyright violation and a risk of account deletion. Hackers manipulate several psychological triggers, including urgency and fear, to encourage you to click on a link leading to an Instagram contact form. The purpose of this form is to retrieve login credentials and personal information.
Obtaining verified status:
Some Instagram accounts have a special status, with a symbol conferring more authority and legitimacy on the network. These are the famous verified badges.
Hackers do not hesitate to send phishing emails asking you to log in, pretending to validate the verified status of your account.
Exploitation via instant messaging:
Exploiting instant messaging is another Instagram phishing scenario. The hacker contacts you with an account created for the occasion or even through a hacked user account.
The objective of this attack is to arouse your curiosity by informing you, for example, of a raffle where you can win an interesting prize. The link then redirects you to a form aimed at collecting your personal information for exploitation later on. The messaging system is then nothing more than a different attack vector from email for phishing purposes.
Measures to protect against Instagram phishing:
The first protection against credential theft attacks is to have a good password strategy. It should be:
- Unique, so it won't be compromised from another account and won't compromise other accounts if it is stolen by a hacker.
- Randomly generated, so it cannot be guessed from publicly available information.
- Complex, so it cannot be attacked by enumeration of possible combinations.
Two-factor authentication, also known as 2FA or MFA, is another solution to activate that makes the hacker's attack more difficult and deters them.
Adopt more secure procedures, such as reducing the exchange of confidential information on these platforms. For customer support, for example, prioritize the use of dedicated support platforms.
Finally, it is important to raise awareness and familiarize yourself with this type of attack to understand the techniques used and create strong and lasting reflexes to protect yourself. Take the time, for example, to share this article with people who have access to your Instagram account (customer service, community managers, etc.).
In conclusion, because Instagram is often a showcase for businesses, the impact of a phishing attack is significant. Hackers know how to use different scenarios to manipulate various psychological triggers to make you perform compromising actions.
Limit the exchange of sensitive information on your social networks. Opt for a complex password, two-factor authentication, and theoretical and practical awareness in your company to create real reflexes and better protect yourself against these threats.