Cyber criminals are now targeting Instagram users in their latest scams which are aimed at getting users to share their account details and personal information.
This time, these scammers are using scare tactics to make people believe they have breached copyright laws with their account which is at risk of suspension.
Users assuming this is a legitimate warning from Instagram are clicking through to find out what they’ve done wrong and to work out how to unlock their accounts.
But, in the process, they are inadvertently handing over their details.
“The crooks are tapping into a concern that many of us have – falling foul of copyright law.
Lots of us innocently post and repost photos, GIFs, video clips and screenshots that we find amusing, informative, scary, and so forth,” says Paul Ducklin, senior security advisor at Sophos.
“But even if we’re only ever posting photos that we took ourselves, we may occasionally find ourselves asked either to demonstrate our entitlement to use them, or to risk getting shut out of our account”
Last month, scammers will also falsely notified Instagram users that their accounts had been compromised and that is can be reclaimed with a two-factor authentication code.
A cyber criminal can then crack your email before you can use the Reset Password link and choose a new password for you before you even notice that a password reset was requested.
“When cybercrooks first got into phishing in a big way, they went straight to where they figured the money was: your bank account,” Ducklin said.
“Back then, phishing was a real nuisance, but even a little bit of caution went an enormously long way.
“These days, you’re almost certainly still seeing phishing attacks that are after your banking passwords, but we’re ready to wager that you get just as many, and probably more, phoney emails that are after passwords for other types of account.
“Social media passwords are also valuable to crooks, because the innards of your social media accounts typically give away much more about you than the crooks could find out with regular searches.
“Worse still, a crook who’s inside your social media account can use it to trick your friends and family, too, so you’re not just putting yourself at risk by losing control of the account.”
Here are the tips Sophos to help you stay safe online:
– Look out for obvious errors. For many cyber crooks, English isn’t their first language and they are often careless in their emails so look out for numerous grammatical and typographic errors, which are a big giveaway.
– Check your address bar. If a web address is too long to fit cleanly into the address bar of your browser, take the trouble to scroll rightwards in the address text to find the right-hand end. Closer inspection would quickly reveal the bogus domain name here.
– Consider using a password manager. Good password managers associate usernames and passwords with already-known login pages, so your password manager wouldn’t offer to fill in an unexpected password field on an unknown web domain – it simply wouldn’t know what account to use.
– Never login via email links. If you need to login to a site such as Instagram for some official purpose, find your own way there, for example via a bookmark you created earlier, or by using the official mobile app. That way, you’ll avoid putting your real password into the wrong site.
– Learn how your online services really handle disputes or security issues. Don’t get taken in by warnings you receive by email. Find your own way to the real site and use the service’s own help pages to find out how things really work. That way, you’ll be much harder to con.
– Make sure your users are clued up. Phishing emails are easy to fall for because of their elegant simplicity – by copying distinctive pages from well-known brands, the crooks keep your suspicions low. Sophos Phish Threat lets you train and test your users using realistic but safe phishing simulations.