Phishing Scams on Instagram
Attackers send DMs and comment-links on Instagram that lead to fake login pages designed to steal account credentials. Stolen accounts are then monetised through follow-for-pay schemes, crypto promotion, or extortion.
Part of: Phishing
Last reviewed: 1 June 2026
Instagram's direct messaging and comment features make it straightforward for attackers to reach millions of users with personalised-looking messages. Unlike email phishing, Instagram messages arrive in the same inbox as real friends and brands, lending them an air of legitimacy.
The stolen credentials from a successful phishing attack are immediately valuable: accounts with large followings can be ransomed back to owners, used to push scam promotions to loyal audiences, or sold outright on dark-web markets.
How this scam works on Instagram
Common delivery methods include DMs impersonating Instagram's official support team, warning the user that their account has violated guidelines and must be 'verified' via a linked form. The link leads to a pixel-perfect clone of the Instagram login page, where credentials are harvested.
A second method uses contest or giveaway bait: a comment on a popular post tags the user and tells them they have won a prize — clicking a link to 'claim' it lands on a credential-harvesting page. Attackers also compromise existing accounts and use them to send phishing links to all of the victim's followers, exploiting trusted relationships.
Once credentials are captured, two-factor authentication codes are often solicited via a 'verification step,' enabling attackers to bypass SMS 2FA.
Common red flags
- DM from 'Instagram Support' asking you to verify your account via an external link
- Contest or prize notification that requires entering your username and password
- Message from a known contact using uncharacteristic language and containing a URL
- Login page URL contains extra words, hyphens, or is not exactly instagram.com
- Request for your 2FA code after entering credentials on an external site
- Sense of urgency — 'your account will be disabled in 24 hours'
How to protect yourself
- Enable two-factor authentication using an authenticator app, not just SMS
- Only access Instagram through the official app or by typing instagram.com directly
- Check any suspicious message sender's profile — support from Instagram never comes from personal accounts
- Use a unique, strong password for Instagram not shared with any other service
- Hover over or long-press links before clicking to inspect the actual destination URL
- If in doubt, go directly to Instagram Settings > Help > Report a Problem rather than clicking links
How to report it
- Use Instagram's in-app reporting: tap the three dots on the message and select 'Report'
- If your account has been compromised, visit instagram.com/hacked for the official recovery flow
- Report phishing to the Anti-Phishing Working Group at [email protected]
Frequently asked questions
How do I know if a DM claiming my Instagram account is at risk is real?
Instagram doesn't ask for your password or verification code through a DM link — genuine security alerts appear within the app's own notifications. Never enter your login on a page reached through a DM or comment link; go to instagram.com directly instead.
My Instagram account was hijacked through a phishing link — how do I get it back?
Use Instagram's official account recovery flow from the app or instagram.com, and report the compromise through Instagram's dedicated hacked-account form. Recovery can take time, so also warn your contacts that the account may send scam messages in the meantime.
What do scammers actually do with a stolen Instagram account?
Hijacked accounts are commonly used to message your followers with new scams, promote crypto or follow-for-pay schemes, or held for ransom with threats to delete your content unless you pay. This is why quickly reporting and recovering the account limits damage to your network.
How can I tell if a message is really from Instagram?
Instagram's genuine emails come from @mail.instagram.com addresses. The app itself never contacts you via DM from a standard user account. Check Settings > Security > Emails from Instagram to see a log of real messages Instagram has sent your account.