Phishing Scams on Instagram
Attackers send DMs and comment-links on Instagram that lead to fake login pages designed to steal account credentials. Stolen accounts are then monetised through follow-for-pay schemes, crypto promotion, or extortion.
Part of: Phishing
Last reviewed: 1 June 2026
Instagram's direct messaging and comment features make it straightforward for attackers to reach millions of users with personalised-looking messages. Unlike email phishing, Instagram messages arrive in the same inbox as real friends and brands, lending them an air of legitimacy.
The stolen credentials from a successful phishing attack are immediately valuable: accounts with large followings can be ransomed back to owners, used to push scam promotions to loyal audiences, or sold outright on dark-web markets.
How this scam works on Instagram
Common delivery methods include DMs impersonating Instagram's official support team, warning the user that their account has violated guidelines and must be 'verified' via a linked form. The link leads to a pixel-perfect clone of the Instagram login page, where credentials are harvested.
A second method uses contest or giveaway bait: a comment on a popular post tags the user and tells them they have won a prize — clicking a link to 'claim' it lands on a credential-harvesting page. Attackers also compromise existing accounts and use them to send phishing links to all of the victim's followers, exploiting trusted relationships.
Once credentials are captured, two-factor authentication codes are often solicited via a 'verification step,' enabling attackers to bypass SMS 2FA.
Common red flags
- DM from 'Instagram Support' asking you to verify your account via an external link
- Contest or prize notification that requires entering your username and password
- Message from a known contact using uncharacteristic language and containing a URL
- Login page URL contains extra words, hyphens, or is not exactly instagram.com
- Request for your 2FA code after entering credentials on an external site
- Sense of urgency — 'your account will be disabled in 24 hours'
How to protect yourself
- Enable two-factor authentication using an authenticator app, not just SMS
- Only access Instagram through the official app or by typing instagram.com directly
- Check any suspicious message sender's profile — support from Instagram never comes from personal accounts
- Use a unique, strong password for Instagram not shared with any other service
- Hover over or long-press links before clicking to inspect the actual destination URL
- If in doubt, go directly to Instagram Settings > Help > Report a Problem rather than clicking links
How to report it
- Use Instagram's in-app reporting: tap the three dots on the message and select 'Report'
- If your account has been compromised, visit instagram.com/hacked for the official recovery flow
- Report phishing to the Anti-Phishing Working Group at [email protected]
Frequently asked questions
How can I tell if a message is really from Instagram?
Instagram's genuine emails come from @mail.instagram.com addresses. The app itself never contacts you via DM from a standard user account. Check Settings > Security > Emails from Instagram to see a log of real messages Instagram has sent your account.