Watch out for phony Instagram ‘Support’ Emails


A new credential harvesting email scam has emerged, this time impersonating Instagram tech support, threatening to shut down your account for sharing “fake content. 

This latest scam was discovered last week targeting an undisclosed insurance company and was able to successfully bypass the firm’s email security measures with some simple tricks. At this time it’s unknown exactly how many usernames and passwords were stolen but as this scam is now sweeping the nation, be prepared to have it hit your inbox soon.

What does the email look like?

The attack starts with an email disguised as an alert from Instagram’s technical support team indicating that your account is going to be deactivated. Impersonation emails like these have 3 goals:

  1. Create trust in the sender (after all, it made it through the spam filter)

  2. Create a sense of urgency

  3. Get you to click a link in the email which will direct you to a credential harvesting website, disguised as the trusted authority.

In this case, the email includes:

“You have been reported for sharing fake content in your membership. You must verify your membership. If you can’t verify within 24 hours your membership will be permanently deleted from our servers.”

Followed by a link to “verify your account.” 

The Takeaway

Just a few weeks ago, cyberattackers impersonated the DocuSign e-signature software to steal Microsoft account credentials from a U.S. payment solutions company. In that case, hundreds of employees were exposed as a result of brand impersonation, clever social engineering and a valid email domain that bypassed traditional security measures.

Perhaps these two campaigns were identified and stopped, but what about the next one? Or the one after that? Or other campaigns we haven’t heard about, because they weren’t successfully identified by a security team?

I recommend focusing your efforts on strengthening your company’s security posture in the following 4 areas to prevent

  1. Ensure that staff knows not to open emails that you are not being expected

  2. Check that maximum email security is in place to stop these types of socially engineered attacks

  3. Are ALL staff trained on how to recognize and respond to these types of attacks?

  4. Ensure that ALL staff have multi-factor authentication enabled and that password re-use is NOT present in your organization.

All it takes is 1 employee to share valid credentials to wreak havoc in your company. Be sure to review your employee security awareness training program to ensure that everyone is participating and to identify those that could use behavioral improvement. We’re here to help – want to set up a time to quickly chat about it? Here is the link:

https://calendly.com/howard-whitman/discovery-call

Stay safe out there

-A