In recent weeks and months, reports of a “verification code” scam have increased all over the internet, as attackers look for new ways to break into accounts.
The scam begins apparently innocently, with a message from a friend’s account. They will generally claim that they have lost access to their account for some reason, and that Instagram has told them to pick a friend to receive a verification code on their behalf – before asking the targeted person for help.
If they agree, they will receive a code, and are then asked to hand it over in the message. But the code is actually for their own account – and the person they believe is their friend is actually an attacker that has broken into their account.
If people are taken in, then the attackers will use that code to break into their own account. From there, the scam will presumably continue, using the victims’ account to message their friends, and get access to even more accounts..
Being targeted by the scam can be a distressing experience. People have reported receiving messages from hacked accounts belonging to dead friends and family, or scammers that have tried to pretend they have found victim’s lost pets and lure them in with the promise they will be returned.
The scam works because Instagram – and many other platforms – offers a way to get into accounts when their owners have lost access, such as when they have forgotten their password.
In order to give them access, Instagram sends a message to the phone number registered to their account, and input that back into the app. That ensures that the person trying to get in has access to that registered phone.
In the hack, however, it is scammers who press that button, and have the verify code sent to the victim’s phone. So when the victim hands over the code they believe is for their friends account, it is actually their own, and they lose access to their account.
cybercriminals send potential victims fake emails pretending to be from Instagram’s technical support team. They claim that there has been suspicious activity on the account and provide a link and an activation code to log in. Of course, the link is fake, but because the scammers use the pretext of 2FA security, the account holder might be convinced to enter their user ID and password. And because people often use the same password for multiple accounts, the scammer may then have access to more than just the user’s Instagram account.
What can you do to protect yourself?
- Log in via known addresses or apps, not by following links. You can always contact the support team of the real company to confirm that they contacted you.
- Look closely at the sender address, and hover your mouse over any links to confirm where they lead. In this case, although the communication purported to be from Instagram, the link in the email pointed back to a domain in the Central African Republic.
- Remember or review the authentication methods you selected for your account. For Instagram, you either selected text message (SMS) codes or a third-party authentication app as your primary security method; email codes aren’t even an option.