Black Friday is behind us, that football thing they have every four years is done and dusted (congratulations – spoiler alert! – to Argentina), it’s the summer/winter solstice (delete as inapplicable)…

…and no one wants to get locked out of their social media accounts, especially when it’s the time for sending and receiving seasonal greetings.

So, even though we’ve written about this sort of phishing scam before, we thought we’d present a timely reminder of the kind of trickery you can expect when crooks try to prise loose your social media passwords.

We clicked through for you

Because a picture is supposed to be worth 1024 words, we’ll be showing you a sequence of screenshots from a recent social media scam that we ourselves received.

Simply put, we clicked through so you don’t have to.

This one started with an email that pretends to be looking out for your online safety and security, though it’s really trying to undermine your cybersecurity completely:

Even though you may have received similar-looking emails from one or more of your online account providers in the past, and even though this one doesn’t have any glaring spelling or grammatical errors…

…if fact, even if this really were a genuine email from Instagram (it isn’t!), you can protect yourself best simply by not clicking on any links in the email itself.

If you have your own bookmark for Instagram’s help pages, researched and saved when you weren’t under any cybersecurity pressure, you can simply navigate to Instagram directly, all by yourself.

That way, you neatly avoid any risk of being misdirected by the blue text (the clickable link) in the email, no matter whether it’s real or fake, working or broken, safe or dangerous.

The trouble with clicking through

If you do click through, perhaps because you’re in a hurry, or you’re worried about what might have happened to your account…

…well, that’s when the trouble starts, with a fake page that looks realistic enough.

The crooks are pretending that someone, presumably someone enjoying a vacation of their own in Paris, tried to login to your account:

You ought to be suspicious of the server name that shows up in the address bar in this scam (we’ve redacted it here, though it wasn’t anything like instagram.com), but we can understand why so many users get caught out by fake domains.

That’s because lots of legitimate online services make it as good as impossible to know what to expect in your address bar these days, as Sophos expert (and popular Naked Security podcast guest) Chester Wisniewski explained back in Cybersecurity Awareness Month:

In this scam, whether you click [This wasn't me] or [This was me], the crooks take you down the same path, asking first for your username:

The wording has started to get a bit clumsy on the next screen, where the crooks are going for your password, but it’s still believable enough:

A fake mistake

The scammers then pretend you made a mistake, asking you not only to type in your password a second time, but also to add a tiny bit more personal information about your location:

Not every phishing scam of this sort uses the “your password is wrong” trick, but it’s quite common.

We suspect that the crooks do this is because there’s dubious security advice still going around that says, “You can easily detect a scam site by deliberately putting in a fake password first; if the site lets you in anyway, then obviously the site doesn’t know your real password.”

If you follow this advice (please don’t – it only ever gives you a false sense of security), you might jump to the dangerous conclusion that the site must surely know your real password, and must therefore be genuine, given that it seems to know that you put in the wrong password.

Of course, the crooks can safely pretend you got your password wrong the first time, even if you didn’t.

If you deliberately got your password wrong, the crooks can simplu pretend to “know” that’s what you did in order to trap you into continuing with the scam.

If you’re sure you really did put in the right password, then even if fake error message makes you suspicious…

…it’s too late, because the crooks have already scammed you.

One last question

If you keep going, then the crooks try to squeeze you for one more piece of personal information, namely your phone number:

And to let you out of the scam gently, the crooks finish off by redirecting you to the genuine Instagram home page, as if to invite you to confirm that your account still works correctly:

What to do?

  • Keep a record of the official “verify your account” and “how to deal with infringement challenges” pages of the social networks you use. That way, you never need to rely on links sent via email to find your way there in future. As well as fake login warnings like the one shown here, attackers often use concocted copyright violations, made-up breaches of your account’s Terms and Conditions, and other fake “problems” with your account.
  • Pick proper passwords. Don’t use the same password as you do on any other sites. If you think you may have given away your password on a fake site, change it as soon as you can before the crooks do. Consider using a password manager if you don’t have one already.
  • Turn on 2FA (two-factor authentication) if you can. This means that your username and password alone will not be enough to login, because you will need to include a one-time code, either every time, or perhaps only when you first try to use a new device. Although this doesn’t guarantee to keep the crooks out, because they may try to trick you into revealing your 2FA code as well as your password, it nevertheless makes things harder for an attacker.
  • Don’t overshare. As much as it seems to be common to share a lot of your life on Instagram nowadays, you don’t have to give away everything about yourself. Also, think about who or what is in the background of your photos before you upload them, in case you overshare information about your friends, family or household by mistake.
  • Stay vigilant. If an account or message seems suspicious to you, do not interact or reply to the account and do not click on any links they send you. If something seems too good to be true, assmue that it IS too good to be true.
  • Consider setting your Instagram account to private. If you aren’t trying to be an influencer whom everyone can see, and if you use Instagram more as a messaging platform to keep touch with your close friends than as a way to tell the world about yourself, you may want to make your account private. Only your followers will be able to see yout photos and videos. Review your list of followers regularly and kick off people you don’t recognise or don’t want following you any more.
Left. Use ‘Privacy’ option on the Instagram Settings page to make your account private.
Right. Toggle the ‘Private account’ slider on.
  • If in doubt, don’t give it out. Never rush to complete a transaction or confirm personal information because a message has told you you’re under time presssure. If you aren’t sure, ask someone you know and trust in real life for advice, so you don’t end up trusting the sender of the very message you aren’t sure you can trust. (And see the first tip above.)

Source