Is my Instagram account at risk if someone DMs me a suspicious link?
Yes. Phishing links sent via Instagram DM are the most common way accounts are hijacked and sold or used to scam your followers.
Last reviewed: 1 June 2026
Explanation
Instagram account takeover fraud usually begins with a direct message — often from a compromised account belonging to someone you follow — containing a link. Clicking the link typically leads to a fake Instagram login page that harvests your username and password. Once the attacker has your credentials, they change your password and email, locking you out and using your account to repeat the scam to your followers, run fake brand promotions, or sell the account. Attacks also arrive through fake copyright infringement warnings, collaboration offers, and DMs asking you to vote for someone in a competition. Enable two-factor authentication and never enter your Instagram credentials on any site that is not instagram.com.
Common red flags
- DM containing a link, even from a known account
- Message about a copyright complaint or policy violation with an external link
- Collaboration or sponsorship offer that requires you to log in on an external site
- Link leads to a login page that looks like Instagram but is a different domain
What to do now
- Enable two-factor authentication on your Instagram account
- Never click login links in DMs — access Instagram only through the app or instagram.com
- If your account is taken over, use Instagram's account recovery process immediately
- Warn your followers if your account was compromised
Frequently asked questions
Can a link steal my account even if I don't log in on the page?
Some links install malware or exploit browser vulnerabilities, but most Instagram account hijacks involve entering credentials on a phishing page. Not logging in significantly reduces risk.