The Instagram Scam that is Spreading Like a Virus in May 2022
There is a very horrible scam going around on Instagram, and it’s spreading like a virus, affecting thousands upon thousands of people. Since Instagram has not taken any action, I’m writing here to explain how it works and bring attention to it so people know how to avoid it, or in the worse case, get their account back if they fall victim to it.
Part 1: Avoid Getting Hacked
The first thing you need to know is that if you receive a message such as the one below, DO NOT RESPOND. This means one of your friends has been hacked by the scammer, and they are trying to hack you too.
DO NOT SEND A SCREENSHOT OF ANY LINKS. IF YOU SEE THIS MESSAGE, IT MEANS THE ACCOUNT SENDING IT TO YOU HAS BEEN HACKED.
Part 2: How the Scam Works
Here’s what happened to me.
First, I got a message from a “friend” saying he needed to log into Instagram on a new phone and he needed one of his friends to confirm his identity. He said to send to him a screenshot of a link that came as a text message.
So I checked to see if this was a real thing and I found an article that made me think it was a real feature that Instagram started recently, to let people confirm their other friends accounts. So I trusted it. Fatal mistake, In this case, I should have immediately messaged or called my friend on another platform to make sure it was him.
I later messaged that friend on Facebook and it turns out his profile hacked been hacked not long ago.
So it turns out that the link in the screenshot was actually a link to reset my own password. So the hacker promptly changed my password, then logged in and changed my accounts email address, and on top of all of that, added two factor authentication, preventing me from even beginning to attempt to recover my account or undo the changes. So in this case two-factor authentication — something meant to make accounts more secure — was used against me.
When something like this happens, we tend to feel incredibly bad about ourselves, and might not want to tell the story to others, for fear that they will think we are really gullible/easily fooled. But there’s absolutely no shame in trusting and wanting to help our friends. The fact that this scam is spreading like wildfire is for that reason exactly; it leverages trust. You don’t have to be particularly tech-illiterate to fall for this scam; you just have to have trust in your friends.
Which brings me to a major point:
Another person should not have to ability to simply send a password reset link to anyone else’s account. This is a very, very serious security liability on the part of Instagram.
So let’s move past the shame and get to what matters, getting your account back.
Part 3: Getting Your Account Back
Since the hacker has changed all your personal information and added two-factor authentication, there is no easy way to reverse the changes and get your account back. But thankfully, Instagram does offer one, albeit highly inefficient, option. This is the video selfie method. I will describe it here briefly, but if you don’t like reading, a YouTuber made a great video walking you through the steps.
What this method entails is sending a “video selfie” to Instagram so they can match the profile to your face. Ideally, you will have pictures of you in your account, but if not, it’s still worth trying (not as if Meta doesn’t have pictures of us from other sources, like Facebook, etc).
To do it, you’ll open Instagram on your mobile phone (I’m using Android, so iPhone may be slight different), and then follow these steps:
- Go to the login screen where you would typically log in.
- Tap “Get help logging in” below the password input form
- On the next page, tap “Can’t reset your password?”
- Select your phone number which should still be saved in the list, and tap “Next” (if not, you can select your email address)
- Input the security code that comes via text message
- The next step will be the Two-Factor Authentication step that the hacker enabled, you cannot complete this step, so tap “Try Another Way” at the bottom of the screen.
- Tap “Get Support” from the menu, and then choose “My account was hacked” from the list
- On the next page, choose “Yes, I have a photo of myself in my account.”
- It will ask you for an email address. Type it in and then press submit.
- Wait a minute or two and then enter the code you get in your email inbox, and tap “Confirm”
- Now, the video selfie page should appear. Follow the instructions on the screen, moving your head slowly in the direction indicated. Once finished, hit “Submit”.
Now, we wait. Although it says you may hear back within 1–2 business days, I’ve gotten my responses the same night. My responses all came between midnight and 2AM, EDT (click to convert to your time zone). This means, no matter when you submit your video selfie, please be near your computer between that time frame so that you can recover your account as soon as possible. TIME MATTERS.
Why do I say time matters? Ok, so in total I have submitted 19 video selfies. And I’m excited to announce that… the 5th one was Confirmed. But then why did I submit 14 more, you might ask? The reason is that the response from Instagram had come at 12:46AM that night, while I was sleeping. When I woke up, I saw not only that my information was confirmed, but that, at 5:30AM that morning, the hacker had reset my password once again, and therefore, the link that they sent me to recover my account was voided (it’s now come to light that it’s most likely a team of five people doing this hacking operation, and I have reason to believe that they are based in India). I guess Instagram must have sent a notification to the hacker’s email address that MY information had been confirmed, warning him to act quickly before he gets locked out of the account that he stole (quite an unnecessary measure, in my honest opinion).
But thanks to my experience, you can learn what not to do so you can avoid the same thing happening.
Another tip: Once you get the first response to your video selfie, which will most likely be “Not Confirmed”, use that as a cue to send more, right away. I’ve found that after I get the first response on a given night, if I sent more video selfies immediately thereafter, they will get to it within a matter of MINUTES.
Unfortunately for me, none of my others were successful. It’s come to the point where Instagram has completely disabled me from even submitting video selfies.
Part 4: What, exactly, is the hacker is doing with my account?
With full control of your account, the hacker will now promote a Bitcoin investment scam, posting 3 stories a day for two days. The hacker is very clever and will localize it to the primary language of the account that it has hacked:
The scam links to an account with the name @rachel_hfx_. What looks like a young professional business women is the moneymaker for this scam. If you express interest in her services, she will guarantee you a near 100% return on an investment of 2000, 5000, or 10,000 dollars within 24 hours. Obviously, none of this is true, and she will take the money and run. And don’t worry, I and many of my friends have reported this account as Scam/Fraud tens of times. Instagram has taken no action (update: it seems that this account has finally been taken down. But now they are just using another one). After posting the stories for two days, the scammer will proceed to send the same message that they used to hack you, to ALL of the people in your “Following” list. They’ll start with the people who are in your inbox, and then proceed to message everyone on the entire list over the course of the next several days. You might think they’d get tired, but they don’t. Today is day 5 since I’ve been hacked and I am still getting messages from friends saying my hacked account messaged them. I don’t know how many people are working on this scam at once, but I’m guessing it’s more than one. The bright side — if you want to call it that — is that the hacker will not post anything to your feed, nor will remove any of your posts, highlights, your bio, or any other content you may have. This, while a slight relief, of course, helps them maintain the appearance that its actually you, thus making it easier to people to trust them.
Part 5: Damage Control
Luckily I have a backup account that I made a while back when my account was banned by Instagram due to a faulty analytics app a while back. While I got my original account back, I decided to convert that “backup” account into a thematic account to post my photography from East Asia. So I used that account to warn my followers of the fact that I’d been hacked, and try to prevent them from 1) falling for the investment scam (sure, chances are low, but it must have worked, otherwise why would the hacker be putting so much effort into this scam, and 2) from getting THEIR accounts hacked.
I took a screenshot of the message that the hacker was sending from my account and wrote on top of the image that such messages should be ignored, and to please block and report my hacked account.
But this is not a foolproof method, because if those people are not following your second account, the message will go into their “Requests” inbox, and they may not see it, in this way making them susceptible to the hacker’s request. That’s why I also posted on my Whatsapp and Facebook stories. To go a step earlier, I probably should have sent messages to each one of my IG followers on other platforms, but I neglected to do that, thinking my prior actions were enough. This caused two friends’ accounts to get hacked after, for whatever reasons, they did not see my warning (one has since gotten their account back).
Part 6: What Instagram must do to resolve this issue.
It’s really a very easy fix. The first and most important thing is that Instagram must not send ANY direct password reset links. The password reset page should ALWAYS be accessible only by inputting a verification code sent to your email or SMS. This way, if someone tries to reset your password, the verification code will come to YOU, and they will have no way to reset it, because they have no way of getting the code. This is standard for most applications these days, and it’s truly mind boggling to me how Instagram has screwed this up. The very fact that I would never expect an app to send a direct password reset link, let alone one that can be requested by anyone, was part of the reason I thought there was no risk in sending the screenshot.
Instagram should resolve this issues ASAP. One can take accountability for their mistakes while simultaneously hoping that changes are made to make it more difficult for others to make the same mistake. Yet, Instagram has done nothing and will do nothing. My account, despite having a dozen friends report it, still remains active. They did take one one of the bitcoin scammers’ accounts, but it was promptly replaced with another one
Part 7: Where do we go from here.
To be honest, I’ve really lost a lot of respect for Instagram throughout this ordeal. Again, I take accountability, but the fact that Instagram shows absolutely zero concern for their users in situations like this puts a bitter taste in my mouth. And the only reason they can afford to do this is because they know one, ten, or even a thousand users lost isn’t going to affect their bottom line. They also no that no matter how much I or anyone else complains about the poorly implemented security features and nonexistent support, people for the most part will just keep on using the platform as usual, because all their friends are there. People don’t leave platforms and friends out of principle, which is why platforms like Facebook, Instagram, and Twitter still exist. No matter how toxic they have begun, at the end of the day, people will keep using them because that’s where everyone else is. It’s become a monster-snowball rolling down the hill, demolishing everything in its path, but unstoppable because the more it rolls, the bigger it gets.
The same applies to me. As much as I resent the platform and all it stands for, it’s where my friends are, and I feel I have a community there. I don’t want to leave these people behind or cut them out of my life and I have no reason to. So we’ll see… I may just take a long break.