Instagram clamps down on fake messages with anti-phishing tool

Instagram clamps down on fake messages with anti-phishing tool

Instagram accounts will always be a popular target for scammers. You might not think it’s a big deal if someone has their account swiped, but it’s often the vanguard of many online businesses. A takeover, or a deletion, can be absolutely devastating.

Smart hacking crews are always in the background, waiting to see what they can get away with—and it’s not just the public-facing account at risk, but personal data behind the scenes, too.

To combat these attacks, quite a few security additions have been made to Instagram over the years. Now, with the introduction of the “Emails from Instagram” anti-phishing tool, one more inroad for scammers has been made significantly harder to bypass.

The great anti-phishing divide

“Emails from Instagram” will make it much clearer if a message is actually from the social media platform or a scammer. Once you receive the update, messages will be split between “Mails from Instagram” and “Other.”

Anything sent your way from Instagram will be in the former; everything else will be in the latter. Scammers pretending to be your social network of choice is a classic slice of social engineering, and the anti-phishing tool will hopefully go a long way to shutting down Instagram-centric attacks of this nature.

Instagram tricks of the trade

Whether locked down or not, there’s a huge swathe of Instagram scams to steer clear of, and sadly the platform will never be rid of them. Here’s some of the most common, sneaky, and downright clever attacks. Most, if not all of these, will be in circulation somewhere.


t’s up to us to give them as wide a berth as possible.

  • Fake viral boosting apps: You’ll come across fake apps both on official app stores and also floating around in the wild. They’ll usually claim to boost your likes, visibility, follower count, and more. What they actually do is take the username/password combination you punched in and send them back to base. From there, your account is entirely at the mercy of the hijackers. It could be sold on, given away for free, used to spam, or just plain trolled until Instagram shuts it down.
  • Exploiting cool features to push spam: Instagram stories are a neat way to quickly express thoughts with a small video clip or some looping images. If your account was compromised, you might find your latest story sending mutual contacts to spam and dubious sign-up forms.
  • Bogus profiles: The never-ending world of free video game offers comes back to haunt us, via many a compromised and purpose-built account. The method may not be as fancy as an Instagram story, but the end result is the same. Quite a few of these bogus game offer accounts tend to be designed quite nicely, too.
  • The “Who is watching you / what are they up to” scam: A wheeze around since the days of Myspace, seeing what your friends are up to or wondering who lands on your profile is another perennial favourite with scammers. In this case, they prey on people’s insecurities with their relationships. Are they cheating on you? Find out via bogus messages and dubious third-party websites asking for mobile numbers.
  • Casting bait outside Instagram: Not all scams originate from inside the Instagram walls. Quite often it begins in utterly unrelated comment sections, culminating with third-party browser extension installs. Standalone image viewer/downloading tools are also popular ways to install potentially unwanted programs on a system.
  • Viral hoaxes: Never has “It belongs in a museum” been more appropriate, but panicked requests to repost something lest accounts be deleted/hackers take over the world never, ever go out of fashion.
  • The major event bandwagon: You can guarantee anytime a holiday or major event takes place, scammers will be there plying their bogus wares. Soccer is a big target for this, as are high-profile sporting events in general.

Some additional help

Instagram has a lot of advice with regards to account security. If your account has been compromised, there’s multiple directions you can go in depending on situation. Impersonation? They have that covered, too. They also have more general security tips, and a generous amount of additional links which can be found in the Privacy and Safety Center dropdown menu. Two factor authentication is also on offer, should you want to make use of it—we strongly suggest that you do whenever possible.

Launching an anti-phishing tool is an interesting move by Instagram, and one we hope to see on other sites. It won’t magically solve the problem of imitation Instagram messages, but it should go some way to making a large dent in their ability to convince potential victims to click a bogus link.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.