Account Takeover Scams on Instagram
How attackers phish Instagram login credentials, hijack accounts, and then use those accounts to scam the victim's own followers — and how to recover access and prevent it.
Part of: Account Takeover Scams
Last reviewed: 1 June 2026
An Instagram account takeover is damaging in two directions: the original owner loses access to their profile, followers, and content, and the account is then weaponised to scam people who already trust them. Because followers receive a message from a familiar face, they are far more likely to act on it — whether that's sending money, clicking a phishing link, or sharing personal details.
This guide focuses on how Instagram account hijacking happens, the specific tactics scammers use once they have control, and the exact steps to recover your account and protect it.
How this scam works on Instagram
The most common entry points are phishing DMs — usually posing as Instagram Support or a brand offering a 'collaboration' — that link to a convincing fake login page. Once credentials are entered, the attacker changes the email and phone number associated with the account, locking the real owner out.
With the account under their control, attackers typically run one or more of the following: a money request to followers ('I'm in trouble, please send £50 via PayPal'), a fake giveaway or investment pitch, or a credential-harvesting campaign directing followers to another phishing link. Because Instagram lets you see who a DM comes from before you read it, a message from a known friend bypasses the usual stranger-danger caution.
Instagram's 'Login Activity' and 'Emails from Instagram' features are your primary tools for early detection. An attacker who has just taken over an account will often appear in Login Activity from an unfamiliar location or device.
Common red flags
- A DM from Instagram Support asking you to log in or verify your account via a link
- A direct message from a known friend asking for money urgently with an unusual tone
- Login notification email showing access from an unrecognised device or country
- Unable to log in even though you haven't changed your password
- Giveaway or investment pitch posted on a friend's account that feels out of character
How to protect yourself
- Enable two-factor authentication on Instagram (Settings → Accounts Centre → Password and Security → Two-factor authentication)
- Use an authenticator app rather than SMS for 2FA where possible — SMS can be SIM-swapped
- Regularly check 'Login Activity' (Settings → Accounts Centre → Password and Security) for unfamiliar sessions
- Never click login links in DMs — always navigate directly to instagram.com or the app
- If you receive a suspicious DM from a friend, contact them through another channel before acting
- Keep your account email and phone number current so Instagram's recovery flows reach you
How to report it
- If locked out, use Instagram's official account recovery: instagram.com/hacked or the 'Get more help' flow on the login screen
- Report the hijacked account using Instagram's support form — search 'report a hacked account' in the Help Centre
- If the hijacked account was used to scam others, those individuals should report the specific posts or messages inside the app
- Report to your national fraud authority if money was sent as a result of messages from the hijacked account
Frequently asked questions
Can I recover my Instagram account if an attacker changed the email address?
Yes. Instagram has a dedicated recovery flow for compromised accounts at instagram.com/hacked. You can verify your identity using your original email, phone number, or a selfie video. Act quickly — the sooner you start, the easier recovery is.
What should I do if I get a message from a friend asking for money on Instagram?
Contact your friend through another channel — a phone call or text — before sending anything. Account takeover scams specifically rely on the fact that you recognise the sender. A genuine friend will understand a quick verification call.