Instagram login screen
Source: Perzonseo Webbyra | CC BY 2.0 | Cropped & Resized

Cybercriminals originating from Turkey are conducting phishing campaigns against unwitting Instagram (IG) users. According to cybersecurity researchers, the ploy involves sending messages that look like official Instagram messages.

If the victim falls for the trick and clicks a link, they are leaving the door open to bad actors stealing their email credentials and IG details.

So far, the campaign has already gone after hundreds of celebrities. Instagram has become a favorite amongst famous people, and many cybercriminals see them as easy targets. However, the phishing attacks are also targeting startups and any other Instagrammer with a high follow number.

Researchers caught the attack when a police officer with a large follow base was attacked.

Phishing attacks are typically associated with email, and that’s how previous campaigns on Instagram have unfolded. However, the latest attack method involves directly messaging people on their IG account.

This is arguably more effective because users would be more willing to blindly believe a seemingly official IG message on the platform itself.

“The message also provides a link which masquerades as a form for sending an appeal but which is actually a phishing link,” Trend Micro researcher point out in a recent report. “Opening the link leads to a page where the user will be requested to provide their username. As of writing, the form has no data validation, meaning that any input — even a non-existent account or no input at all — would be accepted.”


If an unwitting user selects “Next” on the landing page, they are asked to give their name, password, email address, and email password. Essentially, their account credentials for IG. Notably, many users would likely understand Instagram would never ask for all this information at once. However, many will also be fooled by the campaign.

When a user inputs the information and selects “Continue”, they are sent to the real IG login page.

“If the user was already logged in to the social media site before tapping the said button, the form then redirects to their homepage,” the researchers add. “This gives the illusion that the form they filled out is officially connected to Instagram.”

Attackers can use the information to log into a victims account, remove their cell number and change the email… essentially taking control of the account.

Researchers say users can use extreme caution when any service request full details.