Instagram Impersonation: What are the Red Flags?

Instagram Impersonation: What are the red-flags?

By: Edvardi Jackson
23rd August 2022

(New York, NY) — Losing one’s account can be someone’s worst nightmare; especially if they’re a content creator or public figure.

But It also carries an element of risk. For example, if you have private messages or photos in your chat logs, the impersonator can use this information to extort you into paying a large sum of money. Despite, the fact that recent developments in 2FA technology have helped mitigate this risk, 2FA isn’t completely foolproof.

A Rundown of the Scam

These scams often begin with a scammer using social engineering to get permission to use your phone number or email.

They’ll make up a story, like how they forgot their password and want to use your phone number for verification.

To make it more believable, they may use one of the accounts of one of your mutuals (people who you follow, and follow you back). Unbeknownst to you, that person has also been hacked.

They’ll then ask for a verification code, since many social media websites would require the scammer to use a 2FA code to log-in.

Once given the code, the scammer now has access to your accounts, and can use it to fuel their latest scheme.

(Of course, there are other tactics that scammers may use, but they usually don't deviate too far from this)

What happens to accounts after being hacked?

These scammers, then either impersonate the person who they hacked — or impersonate someone else. In both cases, the scammers usually target the people the victim followed, and vice versa.

(We have been made aware recently that, often-times these accounts get stolen and sold en masse. However we are currently unable to determine how many of these accounts are obtained using this method.)

The scammers then use social engineering on those people to try to extract money somehow. For example, some use these accounts to gain access to even more accounts, by using the same social engineering ploy they used before.

In certain cases, the scammers can turn your account into a "model" page, where they attempt to get you to pay money to see “exclusive photos”. They’ll remove all of the photos/videos the victim had stored on their account, and replace it with more sexually explicit content. (most of which certainly go against Instagram's TOS).

Below are screenshots of an instagram account with the handle @cynthialena8002. The account uses photos of the adult film star "Eva Elfie" to catfish unsuspecting (and likely aroused) individuals. These accounts are often wrongly reffered to a bots. In most cases, these accounts are stolen.

In other cases, the scammer will post a cash app, PayPal or Venmo screenshot of the alleged money they made via crypto. They’ll forward this post to all of the people who follow the victim, and post it to their story.

In the description of the post, the scammer will thank some random instagram crypto guru, and recommend their services. If you DM this supposed guru, they’ll excitedly talk about the wonders of crypto, and the amount of money people are able to make. However this is a scam, and it’s likely that the person that scammed the victim and this supposed “guru” are connected.

How do we go about combating this?

1. Never give your main phone number out to people on the internet.

Even if it’s someone you trust. As controversial as it may sound, if your phone number is the one you use for important communications such as secure log-in into your bank or primary emails, the benefits of avoiding this altogether outweigh the risks.

If you can, use a VOIP service like Google Voice, and give them that number. That number should NOT be tied to any social media accounts, and should be used explicitly as a burner number.

To go a step further, avoid sharing sensitive personal details (including passwords, addresses, phone numbers, bank routing numbers, etc.) online. If possible, only share this information during a meetup in real life.

2. Trust your gut.

If something feels suspicious, it probably is. Take a step back, and assess the facts. Why would this person, need my phone number to get into their account?

If you need to think hard about it, it’s likely a scam, and you should proceed with caution.

3. Have strong and secure passwords, and never give them or share them with anybody.

If you’re not working with a team of people on one account, only you should have access to your password.

If you're in a romantic/intimate relationship, We also suggest you not share it with your significant other either, unless you’re actively making arrangements to control your social media accounts and digital legacy when you eventually pass away.

In the possibility that the relationship ends on a more... sour note, there's nothing necessarily stopping this individual from stealing your account for some nefarious purpose.

4. Additionally, Avoid SMS-based 2FA.

Instead, Use a 2FA app, like 2FAS Authenticator, or Google Authenticator. This app will randomly generate codes at specific intervals. For most apps, these codes are device specific, so the scammer would never have the same authentication code as you, unless they had direct access to your device.

If the scammer asks for one of those codes, it’s a clear indicator that they’re trying to scam you out of your account.

Plus, SMS isn’t the most secure messaging protocol anyway, so you’d be better of ditching it.

In Closing,

We hope that this report helps those out there avoid these types of scams. Feel free to share this article around, as it'll likely help warn people of this growing issue.

Page updated

Google Sites

Report abuse