What do Urmila Matondkar, Ameesha Patel, Tabu, Sussane Khan, Vikrant Massey and Esha Deol have in common? All of these celebrities have fallen victim to an Instagram phishing campaign and lost access to their accounts.
On Tabu’s account, which was hacked Monday, hackers posted a promotion post asking her 1.9 million followers to download a board game app. Tabu later posted a link on her Stories asking followers not to click or open any links sent from her account.
The ‘Instagram Copyright’ scam as it is being called is quite common and many celebrities and brand accounts have already fallen victim to this. In January alone, celebrities like Esha Deol, Tabu, Ameesha Patel, Asha Bhosle were some of the big names that got hacked. Urmila Matondkar and Vikrant Massey’s Instagram was hacked in December 2020. In fact, Massey’s account was hacked twice, according to the actor.
Sushmita Sen’s elder daughter Renee’s Instagram was also hacked in December. Sussane Khan was targeted in October 2020. Matondkar’s Instagram account was hacked on December 16 and she also filed a complaint with the Mumbai cyber cell. Patel also took similar steps.
We take a look at what the scam is, and how you can keep your account safe.
What is the Instagram Copyright scam?
Many of the celebrities received a message from a handle, posing as the official Instagram account, with complaints about copyright claims. The users were warned they were violating community guidelines, and that they needed to provide some feedback if they thought the infringement claim was false.
They were also warned that if they did not give the information, the account would be deleted in the next 72 hours. One example of a message reads like this: “Hello Instagram user, we have received many complaints about your account for a long time. We wanted to inform you about this. Before you delete your account, some of the posts you posted are against our community guidelines. If you think the copyright infringement statement is false, you must provide feedback. Otherwise, your account will be permanently deleted from the platform within 72 hours.”
At the bottom was a link with a fake “Copyright Appeal Form” attached. This is where the hackers would ask users for crucial details like Instagram account name, password, date of birth, and any other information which would have helped them gain control of the account.
What has Instagram said on this hacking?
We reached out to Instagram for a statement on the celebrity hackings, which is a classic case of phishing. Keep in mind it is possible for anyone to be fooled by such links, which can sometimes appear very genuine.
A Facebook spokesperson said, “We know that losing access to your account can be a distressing experience. We have sophisticated measures in place to stop bad actors in their tracks before they gain access to accounts, as well as measures to help people recover their accounts. We’re also reiterating that Instagram never communicates with users through direct messages and all communication made by Instagram via email can be confirmed in the app, in Settings> Security> Emails from Instagram.”
The company also redirected us to its page on how to keep accounts secure.
How to protect your Instagram account?
The first step is to make sure that two-factor authentication is enabled. This ensures if someone else does get the password, they will require a one-time password or OTP to login to your Instagram account.
Two-factor authentication (TFA) can be done by codes sent by SMS or by a third-party authentication application such as Duo Mobile or Google Authenticator, according to Instagram.
Follow these steps to enable TFA on your Instagram account:
Open Instagram app, go to the profile page on the app and tap on the three-lined icon. You can see it on the top right corner.
Tap on “Settings,” which appears in the Menu. Go to Security in Settings. You will see a “Two-Factor Authentication” option. Tap on that.
Enable it. If you have it enabled, you can also add an option to use the authentication app for getting codes. The advantage of this is that hackers can sometimes change the mobile number associated with the account and you might not get the code to secure it. But if you rely on an app like Google Authenticator, then you can get still codes. Also, make sure that you keep the backup codes somewhere safe when setting up TFA on your account.
Other recommendations from Instagram include keeping a strong password, which includes at least six letters, numbers and punctuation marks.
Keeping your dog’s name, your birthday, your surname, your name, your mother or father’s name as a password is not a secure practice. Basically, any information which can be easily located by a simple Google search should not be part of the password.
Instagram also recommends revoking access to any third-party applications, where you might have logged in using the account. It says they can expose your login information.
Further, Instagram reiterates that it never communicates with users through Direct Messages on the app. It only sends communication via email. All communication made by Instagram via email can be confirmed in the app, in Settings> Security> Instagram emails.
What happens if your account is hacked and you lose access?
If you think your account has been hacked and you’re still able to log in, there are things you can do to help keep your account secure:
First, if you are not yet logged out of the account, send a request to change your password quickly. Also, turn on two-factor authentication for additional security if not done already.
Instagram also says that one must go to the Accounts Center and remove any linked accounts you don’t recognise. It also recommends revoking access to any suspicious third-party apps.
Further, check your email account for a message from Instagram in case the hackers tried to change your email connected to the account. The email will come from email@example.com letting you know that your email address was changed.
You can fix this by selecting ‘revert this change’ option, which will be there in that message. Instagram also says that if any additional information was also changed such as your password, request a login link or security code from them. The login link can be sent to your email address or phone number.
The login link can be used to ask for a security code or support from Instagram to regain access to the account. In some cases, Instagram might ask users to verify their identity. They will be asked to submit a photo of themselves, holding a paper with the code sent by them written on it along with other details.