Fake Instagram Giveaway DM Account Takeover Scam
Fraudsters send Instagram DMs claiming the recipient has won a brand giveaway, then use a phishing link to steal login credentials and take over the account, which is then used to defraud the victim's followers.
Part of: Giveaway DM Takeover Scams
Last reviewed: 8 June 2026
Instagram giveaways are a common and legitimate marketing tool used by brands and influencers. Scammers mimic the format of these real giveaways — complete with a prize graphic, congratulatory language, and a professional-looking account — to create a believable notification that you have won.
The message typically arrives from an account that closely impersonates a real brand or a popular creator the recipient already follows. It congratulates you on winning and says you must click a link and sign in to Instagram to verify your identity and claim your prize.
The link leads to a near-perfect Instagram login clone. After entering your credentials, the attacker immediately changes your password, recovery email, and phone number, locking you out. Your account is then used to run the same giveaway scam on your followers or sold on underground marketplaces.
How this scam works on the Instagram brand
Legitimate Instagram giveaways ask you to follow, comment, or tag friends on a post. They do not send DMs asking for your login credentials or direct you to external sign-in pages to claim a prize. Winnings are confirmed through a comment on the original giveaway post or a DM that never requires you to log in again.
The scam DM references a real prize — often an iPhone, a cash amount, or gift cards — and explains that you were 'randomly selected' from among people who interacted with a recent post. A countdown timer is included to create urgency. The linked page prefills your username so the login page appears pre-authenticated, increasing credibility.
Once the account is taken over, the attacker posts a Story and a DM blast to all your followers announcing a new giveaway, perpetuating the chain. They may also attempt to monetise the account via paid promotions or extort the original owner for a ransom to return access.
Common red flags
- An unexpected DM tells you that you have won a prize from a brand or influencer account you do not recall entering.
- The congratulatory message asks you to click an external link and confirm your identity by signing into Instagram.
- The sending account has a username very similar to a well-known brand but with slight differences — extra underscores, misspellings.
- A countdown timer in the DM warns the prize expires in 24 hours.
- The linked sign-in page URL is not instagram.com — even if it looks pixel-perfect.
- The account has very few posts, a generic profile photo, and a recent creation date.
How to protect yourself
- Enable two-factor authentication on your Instagram account at Settings > Accounts Centre > Password and security.
- Never enter your Instagram credentials on any page reached via a DM link — always log in directly at instagram.com.
- Review active sessions at Settings > Accounts Centre > Password and security > Where you are logged in and remove unrecognised devices.
- Set up a recovery code in Instagram's two-factor settings and store it offline so you can regain access after a takeover.
- If you already entered your credentials, change your Instagram password immediately and check that your email and phone number have not been changed.
- Legitimate giveaway wins are confirmed publicly on a post, not via a private DM with a sign-in link.
How to report it
- Report the scam DM and account directly in Instagram by tapping the three-dot menu and selecting 'Report'.
- Report the phishing URL to Meta at [email protected].
- If your account was taken over, file a report with Instagram at instagram.com/hacked.
- Report to the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
Frequently asked questions
How do I know if a giveaway DM is from the real brand account?
Check the account for a verified blue tick and confirm the username exactly matches the brand's official account. Real giveaway wins are almost always announced publicly on the original post, not through a private DM requiring sign-in.
My account was taken over after clicking the link. Can I recover it?
Yes. Go to instagram.com/hacked and follow the recovery steps. If your email was also changed, choose 'My email was changed' and Instagram will send a reversal email to your original address. Act quickly.
Why do scammers want to own my Instagram account?
Compromised accounts are valuable because they have real followers, post history, and credibility. Attackers use them to run further scams on your network, sell the accounts, or hold them for ransom.