Fake Instagram Account Recovery Takeover Scam
Criminals pose as Instagram support to 'help' users recover a hacked account, but the process hands attackers the victim's login credentials and two-factor authentication codes.
Part of: Account Takeover Scams
Last reviewed: 7 June 2026
Instagram account takeovers are distressingly common. When someone loses access to their account, the desperation to recover it can override their usual caution. Scammers deliberately exploit this window of vulnerability by positioning themselves as unofficial helpers who can restore access quickly.
The fraudsters find victims in multiple ways: they monitor the public Instagram hashtag for account help, they reach out after seeing a post about a hacked account, or they proactively message accounts with large followings. Some create Instagram profiles or even websites with names like 'Instagram Account Recovery Services' to attract searches from people in distress.
The cruel irony is that the 'recovery' process actually completes the takeover: the victim hands their credentials to the attacker, who now controls the account and demands payment — or simply uses it to run scams on the victim's followers.
How this scam works on the Instagram brand
Instagram's genuine account recovery is initiated entirely by the user through the Instagram app or help.instagram.com. If you cannot log in, you tap 'Forgot password', receive a link to your registered email or phone, and re-authenticate. Instagram Support does not direct-message users unsolicited to offer help with a takeover, and it does not ask for passwords through any channel.
The scam typically begins with a message claiming to be from 'Official Instagram Support' — sent from a regular account, not a verified support channel. The 'helper' asks for your Instagram username, email address, and the reset link or two-factor code that arrives when you tap 'Forgot password' on the official app. That code is all they need to complete a password reset and change the account's recovery contact details.
Once they have control, they either hold the account for ransom (demanding payment via gift card or cryptocurrency to return access) or change the bio to promote investment or adult content scams, exploiting the existing follower base.
Common red flags
- An Instagram account messages you unsolicited claiming to be Instagram Support — Instagram does not DM users to offer account help
- You are asked to share a password-reset link or six-digit code sent to your phone or email
- The 'support' account has a generic username, no badge, and was created recently
- The helper asks you to temporarily hand over login details 'just to log in and fix the issue'
- After the process, you are asked to pay for the recovery in gift cards or cryptocurrency
- The recovery link they send directs you to a non-instagram.com domain
How to protect yourself
- Use only the official Instagram recovery process: open the app, tap 'Forgot password', and follow the prompts
- Visit help.instagram.com for official guidance on recovering a compromised account
- Enable Instagram's two-factor authentication in Settings > Security before a problem occurs
- Never share password-reset codes or links with anyone, even someone claiming to be Instagram staff
- Set a backup email and phone number in Instagram settings so you have multiple recovery options
- If you regain access, immediately change your password and review third-party app permissions
How to report it
- Report fake support accounts using the three-dot menu on their Instagram profile and selecting 'Report'
- Report impersonation of Instagram at help.instagram.com/contact/304810979758757
- File a report with the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- If money was extorted, also report to the FBI's IC3 at ic3.gov (US)
Frequently asked questions
Does Instagram have official support accounts that DM users?
No. Instagram's official @Instagram account and @InstagramComms exist for announcements, not personal support. Instagram does not send direct messages to offer account recovery help. Any account messaging you to help recover your account is not from Instagram.
Why does the scammer need the code sent to my phone?
That code is a one-time password that lets whoever enters it reset your Instagram password and take over your account. Once you share it, the attacker uses it within seconds to change your password and remove your recovery contact, locking you out.
My Instagram account was held for ransom. Should I pay?
Paying is not recommended — there is no guarantee you will regain access, and it encourages further fraud. Instead, use Instagram's official compromised-account form at help.instagram.com and report the extortion to your local police and consumer protection agency.