Fake Instagram Two-Factor Reset Takeover Scam
Attackers who have obtained an Instagram password use social engineering to trick users into sharing their two-factor authentication code, completing a full Instagram account takeover.
Part of: Two-Factor Reset & Social Takeover Scams
Last reviewed: 7 June 2026
Instagram's two-factor authentication requires a time-sensitive six-digit code in addition to a password before granting access from an unrecognised device. For many users, this code is delivered via SMS or an authenticator app and represents the last line of defence between an attacker and their account. Obtaining this code is therefore a critical goal for anyone who has already phished an Instagram password.
Scammers extract the two-factor code through a variety of deceptions. A common approach is sending a direct message from a compromised account that belongs to one of the victim's followers, claiming to have accidentally sent a login code to the wrong number. Because the message comes from a trusted contact's account, victims are far more likely to comply.
Another variant uses a fake 'Instagram Security' message — either by SMS or DM — claiming that Instagram has detected suspicious activity and asking the user to 'confirm' their identity by forwarding the code that was just sent.
How this scam works on the Instagram brand
Instagram's real two-factor process works as follows: when a sign-in is detected from an unrecognised device, Instagram sends a six-digit code to the user's registered phone number or authenticator app. The user enters this code on the Instagram login screen. Instagram never asks users to forward this code to anyone else, and it does not send messages through DM asking for code confirmation.
The social engineering begins immediately after the attacker has attempted to log in with the victim's stolen password. Instagram sends the real code to the victim's phone. Simultaneously, the attacker (using a compromised account or a fake Instagram Support account) sends a message claiming the code arrived by mistake or that the account needs immediate verification.
If the victim forwards the code, the attacker enters it on the real Instagram login screen and gains access. They then change the email address and phone number on the account, locking the original owner out entirely. Some attackers demand a ransom to return the account, while others immediately use it to run investment or crypto scams.
Common red flags
- A contact's account sends a message asking you to forward an Instagram login code
- An account claiming to be Instagram Security asks you to confirm your identity by sharing a code
- You receive an Instagram SMS code without attempting to log in yourself
- The message creating urgency arrives at the same moment as an Instagram two-factor code on your phone
- You are suddenly logged out of Instagram on your device without changing anything
- A familiar account sends an unusual message about codes, security, or account problems
How to protect yourself
- Switch Instagram's two-factor authentication from SMS to an authenticator app — it is harder to socially engineer than an SMS code
- Never forward or share a two-factor code regardless of who asks and why
- If you receive an unexpected code, it means someone is actively attempting to log in — change your Instagram password immediately
- Enable Instagram's 'Login Activity' notifications so you are alerted to any new device sign-ins
- Verify any suspicious message from a contact via a phone call or another messaging platform before acting
How to report it
- Report the account sending the social engineering message using Instagram's in-app 'Report' feature
- If your account was taken over, use help.instagram.com to report a compromised account
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- If ransom was demanded, also report to the FBI's IC3 at ic3.gov (US)
Frequently asked questions
Why does switching from SMS to an authenticator app make Instagram more secure?
SMS codes can be intercepted through SIM-swapping attacks and are also vulnerable to social engineering — someone can be tricked into forwarding a text message. Authenticator app codes exist only on your device and expire after a short window, making them much harder to steal through social engineering alone.
Can I get my Instagram account back after a two-factor code theft?
Instagram provides an account recovery process at help.instagram.com for compromised accounts. The process uses video selfie verification or previously used devices to confirm your identity. Recovery can take several days and is not always successful, which is why prevention is critical.
Someone demanded I pay to get my Instagram back. Should I pay?
Payment is not recommended. There is no guarantee the attacker will return access after receiving payment, and paying may encourage further extortion. Report the incident to Instagram's help centre, your local police, and the FTC or Action Fraud.