Cybercriminals now Instagram phishing using 2FA

  • Hackers and cyber criminals are now Instagram phishing to gain access to your personal details, it was revealed in the U.S. last week.

    A new form of phishing shows the use of a two-factor authentication (2FA) code on Instagram; the implication is that you aren’t going to need to use a password, but instead simply to confirm that the email reached you.

    In previous years, cyber crooks went straight for people’s bank account details through online scams.

    Although this still remains the case, social media passwords are now of increasing interest to crooks, because the innards of your social media accounts typically give away much more about you than the crooks could find out with regular searches.

    Additionally, a hacker inside your social media account can use it to trick your friends and family too, so you’re not just putting yourself at risk by losing control of the account.

    Sophos is a cybersecurity firm based in Northern Ireland. Following the recent phishing findings, Paul Ducklin, a senior technologist at the company said:

    "Successful phishers know three things: less is more; calm language works better than !!!SHOUTING!!!; and ripping off official content is easier than creating their own material. As a result, you can no longer rely on the obvious tell-tales of phishing from the past, such as spelling mistakes, wild promises, and unbelievable threats or messed up web pages."

    "These days, don't look for reasons to disbelieve an email - look for very specific reasons to accept it instead. Most importantly, if an email wants you to go online and do something such as check your account; ignore any and all instructions in the email itself. If it's an account you actually use, you'll know how to get there already, so follow your own nose, not someone else's.”

    Mr Ducklin also provided these top three tips to avoid such phishing scams:

    1. Use a password manager. Not just because it'll never pick your cat's name as a password; and not just because it'll make sure you have a different password for every website, even sites you don't consider important; but also because a password manager makes it surprisingly hard to put the right password into the wrong site.
    2. Use two-factor authentication. Those one-time codes that arrive in text messages, or that come from an app on your phone, or are generated by a special USB dongle you plug in only when needed - they're a tiny inconvenience for you, but they make your password alone very much less useful to the crooks.
    3. Never click on email links to login. Even if you're convinced an email is genuine, ignore any login links it tells you about. You can't click through to a fake sign-in page if you never click through to sign-in pages at all.

    Remember – if in doubt, don’t give it out. 

    Companies as well as individuals are also vulnerable to phishing attacks, and the UK National Cyber Security Centre (NCSC) reported earlier in 2019 a dramatic shift in the number of phishing attempts in which someone impersonates a member of HMRC. 


    Photograph (c) Sophos 

    About the author

    Niamh is a Sync NI writer with a previous background of working in FinTech and financial crime. She has a special interest in sports and emerging technologies. To connect with Niamh, feel free to send her an email or connect on Twitter.

    Got a news-related tip you’d like to see covered on Sync NI? Email the editorial team for our consideration.

Share this story