New Instagram Phishing Attack Steals Backup Codes, Bypassing 2FA

Is your Instagram account secure? A new Instagram phishing campaign targeting users with fake copyright infringement claims seeks to steal your crucial backup codes, granting hackers access even if you have two-factor authentication (2FA) enabled.

What is 2FA and why is it important?

2FA adds an extra layer of security by requiring a second verification code, usually sent to your phone or generated by an app, alongside your password when logging in. This protects your account even if your credentials are leaked.

The Instagram backup code trap:

This phishing attack cleverly exploits backup codes, provided by Instagram for regaining access if you lose your phone or 2FA method. These codes, if stolen, give hackers free rein to your account, bypassing regular 2FA.

How the scam works:

• Phishing emails: You receive emails claiming copyright infringement on your account, urging you to "appeal" through a malicious link.
• Fake appeal forms: Clicking the link leads to a series of convincing phishing pages mimicking Instagram's official appeal portal.
• Credential and code steal: These pages trick you into entering your username, password, and the crucial 8-digit backup code.

Stay vigilant, stay safe:

• Never enter your backup codes anywhere except the Instagram app or website.
• Double-check email addresses and sender names. Legitimate emails from Instagram will come from "@instagram.com" or "@facebookmail.com."
• Report suspicious emails directly to Instagram.
• Use a strong, unique password and enable 2FA with an authentication app, not SMS.