A NEW phishing campaign is attempting to trick Instagram users into handing over their login details, security researchers at Sophos have warned.

Crooks use phishing emails to send fake Instagram login alerts stating that someone has tried to access the target’s account. The user is asked to click on a link in the message, which leads them to a bogus sign-in page. The fraudulent website will then ask the target to input their login info to confirm their identity.

The campaign is more believable than usual

The scam seems to be more convincing than many of the standard email phishing campaigns. This is mainly because the hoax emails use fake two-factor authentication (2FA) codes. They look like “the unique codes Instagram emails to you whenever you can’t remember your login details.” The codes, which should have been a second authentication code for identity confirmation, serve to “provide a false sense of security” this time.

Besides, once clicking the link, the targets see a perfectly facsimile of the real Instagram landing page. The interface is clean with a valid HTTPS certificate and a green padlock to alleviate the victims’ doubts.

The scam will cause great damage

If you fall into the trap, the malicious actors can then hijack your account and steal your personal details. What’s worse, the scam may not just affect yourself, because the phishers “inside your social media account” can use it to cheat your friends and family.

How to tell it’s fake?

You may frown now: then we can do nothing with this phishing?

The good news is, there are still some telltale signs which can give the scammers away. If you are careful enough, you can find a few punctuation errors and a missing space before the word ‘Please’ in the fake email.

More importantly, in the web browser’s address bar, you will see a .CF domain, indicating the site is from the Central African Republic. Instead, the official Instagram page uses the instagram.com domain. Thus, the false domain is a perfect warning sign.

How to protect yourself from phishing?

According researchers at Sophos, we should follow the advice below to safeguard our private info.

  • Never click sign-in links in any emails. You should always log in through the official site.
  • If you suspect your account has been stolen, use the site’s official channels to recover it.
  • Check the domain name. Never give your personal data when the domain name includes misspellings or looks strange.

However, sometimes it’s hard to recognize a false domain with naked eye. Then you need help from cybersecurity experts. Mr. Post, an add-in for your Outlook, can not only visualize the email route, unveil the real sender but recognize the suspicious link. You can even see the profile of an email sender with Mr. Post.

Try Mr. Post for free, available now on Microsoft AppSource.