Giveaway DM Takeover Scams on Instagram
Fake giveaway DMs on Instagram trick users into submitting login credentials to claim a prize, leading directly to account takeover that the attacker then uses to perpetuate the scam further.
Part of: Giveaway DM Takeover Scams
Last reviewed: 1 June 2026
Instagram giveaway scams are one of the most common account takeover vectors on the platform. A DM arriving from what appears to be a well-known creator or brand announces that the recipient has won a prize and needs to verify their account to claim it. The verification step is a credential harvest — entering details on the fake page hands the account directly to the attacker.
Because the scam often launches from already-compromised creator accounts with large audiences, the initial DMs carry the credibility of a recognisable profile, making them unusually convincing.
How this scam works on Instagram
A hijacked creator account sends a DM to thousands of followers announcing that a random winner has been selected for a prize — a product, a cash amount, or an exclusive experience. The recipient is instructed to click a link and verify their account to receive the prize. The link leads to a realistic fake Instagram login page.
After entering credentials, the victim is shown a loading screen or a 'thank you' page while the attacker immediately changes the account password and linked email. The newly compromised account is then used to send the same DM to its followers, propagating the scam exponentially.
In a variant targeting creators specifically, the DM claims the recipient's account has been selected for a verified creator programme giveaway that requires their account credentials to process — a particularly effective lure for accounts seeking the verification badge.
Common red flags
- Unexpected DM announcing you have won a giveaway you do not recall entering
- Link in the winning notification directing to a login page outside instagram.com
- Request to enter your Instagram credentials to verify your identity and claim a prize
- Message arriving from a previously legitimate creator account that has changed its bio or profile unexpectedly
- Prize claim page that requests your two-factor authentication code
- Urgency — prize expires within a few hours and requires immediate action
How to protect yourself
- Never click links in DMs claiming you have won a giveaway and never enter Instagram credentials on linked sites
- Enable two-factor authentication using an authenticator app to add a layer of protection beyond passwords
- Verify any giveaway by checking the creator's official profile directly — genuine wins are announced publicly, not only via DM
- Report the DM and the sending account to Instagram using the in-app report function
- If your credentials were entered on a phishing page, change your password immediately and review all active sessions
- Use Instagram's 'Log out of all sessions' option in Security settings if you suspect compromise
How to report it
- Report the sending account to Instagram using the in-app 'Report' option and select 'Spam or scam'
- Report the phishing URL to your browser's safe-browsing provider and to Google Safe Browsing
- Notify the legitimate creator whose account was hijacked so they can begin recovery and warn their audience
Frequently asked questions
Do real Instagram giveaways ask for your login credentials?
No. Legitimate giveaways on Instagram may ask you to follow an account, tag friends, or complete an action in the comments — but they never ask for your login credentials. Any giveaway that requires your username and password is a phishing attack.