Fake Instagram Sponsored Ad OAuth Phishing
Fraudulent Instagram-branded ads or embedded links on third-party sites present a fake 'Login with Instagram' OAuth consent screen, capturing credentials and granting attackers persistent access to accounts.
Part of: Social Login & OAuth Phishing
Last reviewed: 7 June 2026
Instagram's Login with Instagram feature allows third-party websites to authenticate visitors using their Instagram credentials. This legitimate OAuth mechanism is familiar to Instagram users who have connected the platform to scheduling tools, analytics dashboards, and e-commerce integrations. Attackers replicate the visual experience of this flow to steal credentials from unsuspecting users.
The attack often begins with a sponsored Instagram advertisement promoting a free tool, template, or competition that requires Instagram login to access. Because the ad appears within Instagram's own feed, users naturally associate it with legitimacy. Clicking through to the external offer and encountering an Instagram login prompt feels expected.
The compromise may yield not just Instagram credentials but also a persistent OAuth token that allows ongoing access to the account even after the victim changes their password — unless they also revoke the application's access.
How this scam works on the Instagram brand
Legitimate Instagram OAuth flows open a consent screen at api.instagram.com or www.instagram.com where the URL bar shows the real domain. The consent screen lists the specific application requesting access and the permissions it requires. Instagram will not grant OAuth access to an application without the user completing this flow on instagram.com.
Fake OAuth flows are hosted at external domains that mimic the Instagram login interface. Some use URL tricks — such as instagram.com.login-external[.]com — to create apparent legitimacy. After the victim enters their credentials, the fake site may display a 'connected successfully' message while the attacker uses the captured login details.
Sophisticated versions use a real Instagram OAuth redirect but intercept the token using a man-in-the-middle technique, making the OAuth flow pass through a server the attacker controls before completing at Instagram.
Common red flags
- The URL in the Instagram login pop-up or redirect is not instagram.com or api.instagram.com
- You are asked to log in to Instagram to access a free tool, competition, or giveaway from an ad
- The consent screen requests unusually broad permissions such as ability to post content or access DMs
- After connecting, your Instagram account begins posting or messaging without your action
- The application requesting OAuth access has an unfamiliar name in the consent screen
- The offer seems disproportionately generous relative to what logging in with Instagram costs
How to protect yourself
- Check the URL bar during any Instagram login prompt — it must be instagram.com or api.instagram.com
- Review and revoke all third-party app access in Instagram Settings > Security > Apps and Websites
- Be cautious about granting Instagram OAuth to free tools from sponsored ads — research the application before connecting
- Enable two-factor authentication on Instagram so a stolen credential alone cannot complete a sign-in
- Periodically check what applications have access to your Instagram account and remove any you no longer use
How to report it
- Revoke suspicious app access immediately in Instagram Settings > Security > Apps and Websites
- Report the fake site to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish
- Report the fraudulent ad within Instagram using the three-dot menu on the ad post
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
Frequently asked questions
What permissions should a legitimate Instagram OAuth app request?
Legitimate scheduling and analytics tools typically request read access to profile information, post insights, and the ability to post content on behalf of the account — all of which appear clearly on the consent screen. Any application requesting access to private messages, follower list, or passwords beyond what its stated purpose requires should be treated with suspicion.
If I revoke a compromised app's access, does that stop the attacker?
Revoking OAuth access in Instagram Settings > Apps and Websites invalidates the access token associated with that application. If the attacker only had an access token, this stops their access. If they also captured your password, change your password and enable two-factor authentication immediately in addition to revoking access.
How do I report a fake ad on Instagram that led me to a phishing OAuth page?
Tap the three-dot menu on the ad post in your Instagram feed and select 'Report Ad'. Choose 'It's a scam or fraud'. Also report the phishing site to Google Safe Browsing. If you entered credentials, change your Instagram password and revoke the app's access right away.