Instagram Account Hijacked for Investment Scam
A photographer had her Instagram account stolen via a phishing link and criminals used her 8,000 followers to promote a fake investment scheme.
Attack Chain
- 1DM sent impersonating Instagram support
- 2Fake login page captures credentials
- 3Account password and 2FA changed
- 4Followers targeted with investment scam
Background
A freelance photographer from Manchester had spent three years building an Instagram following of around 8,000 people. Her account showed her portfolio and helped her win clients. One evening she received a direct message from what appeared to be an official Instagram account saying her profile was at risk of deletion and she needed to verify her details.
The Attack
The link led to a convincing fake Instagram login page. She entered her username and password. Within minutes, her account password was changed and two-factor authentication was switched to a new phone number the criminals controlled. The criminals then used her account to post "investment opportunity" content to her followers, many of whom trusted messages from her account.
Response
She reported the compromise to Instagram but heard nothing for four days. During that time, three of her followers sent money to the fake investment scheme after receiving messages "from her." She eventually regained access using the appeals process, but the damage to her reputation with clients had already occurred.
Outcome
She recovered her account after a week. Three followers lost between £200 and £800 each. She lost two client enquiries during the period when the account was promoting scams.
Key Takeaways
- Turn on two-factor authentication on all social media accounts — it means criminals need your phone as well as your password
- Instagram, Facebook, and TikTok will never send you a DM asking you to verify your account by clicking a link
- Use a password manager so every account has a unique, strong password — reusing passwords is how one breach becomes five
- If you think your account is at risk, go directly to the platform's settings page rather than clicking any link
- Regularly check which devices are logged into your accounts and remove any you don't recognise
How to Prevent This
All guidesTurn on two-factor authentication on every important account
Two-factor authentication (2FA) means that even if a criminal knows your password, they still can't get into your account without your phone. When 2FA is turned on, logging in requires two things: your password AND a code sent to your phone (or generated by an app). Without both, the door stays locked. Start with the accounts that matter most: your email, online banking, Amazon, Apple ID or Google account, and any social media accounts linked to your business. Each one has a security or account settings menu with a two-factor authentication option. The best option is an authenticator app like Google Authenticator or Microsoft Authenticator — these are free to download and generate codes that work even without a phone signal. SMS codes (text messages) are the second-best option and still far better than no 2FA at all. Setting up 2FA on a typical account takes about three minutes. Do it today for your email account — that one matters most because email is used to reset passwords on everything else.
How to recover a hacked social media account
If you've lost access to your Facebook, Instagram, or other social media account, recovery is possible but can take time. Starting the process quickly and correctly matters. Facebook account recovery: 1. Go to facebook.com/login/identify 2. Search for your profile and select "Forgotten password" 3. If your email and phone have been changed by the attacker, select "No longer have access to these" 4. Facebook will ask you to verify identity using a government-issued photo ID 5. Submit the request — this typically takes 24–48 hours Instagram account recovery: 1. On the login screen, tap "Get more help" 2. Enter your username, email, or phone 3. Follow the instructions for identity verification 4. For accounts where the email was changed: look for a "Revert this change" link in the email Instagram sent when the email was changed While waiting for recovery: - Post on other platforms warning your followers that your account has been compromised and to ignore any messages or posts from it - Email key contacts directly if you have their details Prevention: enabling two-factor authentication before a compromise makes account takeover far harder and speeds up legitimate recovery.