Instagrammers Beware: New Scam Uses Fake Two-factor Authentication

Two-factor authentication (2FA) is a security feature designed to prevent unauthorized access to many online accounts, like your email account and your social media accounts. If you enable two-factor authentication, you’ll be asked to enter a special login code or confirm your login attempt each time access to your account is attempted from an unauthorized device. Scammers are taking advantage of that additional level of security to create a believable phishing email, in this case targeting Instagram users

In brief, cybercriminals send potential victims fake emails pretending to be from Instagram’s technical support team. They claim that there has been suspicious activity on the account and provide a link and an activation code to log in. Of course, the link is fake, but because the scammers use the pretext of 2FA security, the account holder might be convinced to enter their user ID and password. And because people often use the same password for multiple accounts, the scammer may then have access to more than just the user’s Instagram account. 

What can you do to protect yourself?

  • Log in via known addresses or apps, not by following links. You can always contact the support team of the real company to confirm that they contacted you.

  • Look closely at the sender address, and hover your mouse over any links to confirm where they lead. In this case, although the communication purported to be from Instagram, the link in the email pointed back to a domain in the Central African Republic.

  • Remember or review the authentication methods you selected for your account. For Instagram, you either selected text message (SMS) codes or a third-party authentication app as your primary security method; email codes aren’t even an option. 

About Cybersafe

The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from [email protected] for the latest from the Cybersafe campaign at FIT.

Be aware—and be cybersafe!