This article reveals common themes in Notch's “How I Got Hacked” series, in which we interview victims of Instagram hacks - from small business owners to influencers. By unpacking the patterns behind the Instagram account hacks, we can understand what went wrong and better understand how to secure ourselves to prevent more hacking incidents.
Instagram hacking: Common denominators
Instagram hacking tactics
Whilst every incident and breach may differ, it’s a useful to identify common denominators. Oftentimes, we can notice recurring patterns and trends across attacks. This is apparent when we see how victims have fallen for the all-too-common phishing emails with malicious links. Prime examples of this would be offers of the blue tick, a copyright infringement claim, or a fake business proposition.
Richie and Natalie - both small business owners - fell victim to the blue tick tactic, allowing their credentials to be stolen and their business accounts to be compromised. As seen with Paige and Daniel’s account, a hacker pretended to be an official Instagram account, claiming copyright infringement. Flip Flop Wanderers and Lexi Luxury, meanwhile, were deceived by the “we have a business proposition” charade.
Use of urgency
Another common denominator is a sense of urgency - which is an inherent attribute of social engineering. Also classed as FUD, by implementing fear, uncertainty and doubt, hackers use this tactic to prevent victims from thinking logically, increasing the likelihood of success.
In fact, 66.6% (6/9) of the hacks covered in our series featured social engineering techniques such as FUD.
“By creating a sense of urgency, curiosity or fear in victims it prods [victims] into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware” - (Verizon Data Breach Investigation Report 2021)
Instagram’s Help Centre
Instagram has a help centre, which aims to provide assistance to various issues one might have with their account. There is a dedicated section for help with compromised accounts. However, as mentioned across the stories shared by victims, this is not as helpful as it seems, with 100% of the victims being disappointed with the support process.
When examining Natalie’s case, she claimed that Instagram never responded to her requests, despite constant emails from her end. Similarly, Amy also complained about the lack of support from Instagram, finding it challenging to locate the correct contact information and even then, only receiving automated email responses. It seems that although Instagram has a support system established, it does not provide much actionable support into resolving these issues.
Instagram hacking and follower counts
Follower count does not have nearly as much of a part as one might think.
Jessica ran an account with over 166,000 followers and Richie had 3,300 followers and both got hacked. It is fair to say that small businesses may have the idea that they are less likely to suffer an attack due to their size, however, as demonstrated with these examples, we can see that is not the case.
If we were to examine for any patterns in regards to follower count, we can identify that 62.5% had 20,000 followers or less, with 25% falling under 5,000 followers. This shows that small business accounts are also vulnerable. Anyone is susceptible, regardless of size.
The impact of Instagram hacks
Loss of income
The overwhelming theme is that these hacks have damaged the victim’s businesses. Natalie’s account being compromised led to a client losing $2000 from a financial scam, causing a serious impact on her brand reputation. She also believed that she lost business as a result of the hack, whilst also losing hundreds of followers on Instagram. Cath’s business was completely destroyed as a result of the security compromise and Instagram block. Having to take the account down meant she suffered a loss of income, and all her engagement, such as brand collaborations, disappeared.
The common themes show that businesses tend to suffer a loss of followers and income as a result of a hack. Furthermore, once hackers take control of the victim’s Instagram account, the brand image can be impacted in a negative manner, due to the content posted within the compromised account.
The vast majority of hacking victims mentioned how stressed, overwhelmed and sad they felt during and after the hack - made worse by Instagram’s lack of communication and assistance throughout the process. Unfortunately scams are often personalised to create the impression of a unique offer to the recipient and inherently attempt to instil false trust. When this is ultimately broken victims feel a lasting sense of betrayal, bitterness and distrust.
How the data compares to cyber security data articles
Verizon's 2021 Data Breach Investigation Report (DBIR) has statistics that outline the common theme of attacks. “Phishing remains one of the top Action varieties in breaches and has done so for the past two years” (Verizon DBIR 2021). This is similar when examining the victims we’ve spoken to, with social engineering the cause of 100% of the cases where the root cause has been identified.
Furthermore, the motivation behind the attacks covered in our How I Got Hacked series aligns with Verizon’s DBIRs findings:
“As in past years, financially motivated attacks continue to be the most common” (Verizon DBIR 2021).
Whether payment is requested through ransom, as seen with Lexi and Jessica, or money is obtained through a scam, as seen with Natalie, financial motive is a common theme being explicitly seen in 5/9 (55.5%) of the breaches.
The DBIR also indicates that sizing of the business has very little to do with the chance of receiving a malicious URL - “What we found, in short, was that you don’t have to be a large [organisation] to have a good chance that one of your members has received a malicious URL” (Verizon DBIR 2021).
Figure 34 in the DBIR shows that businesses with 1-50 employees have between a 75%-100% chance of receiving a malicious link or Android application in any given year. It is no surprise that, when the cause was known with our interviewees, clicking malicious links was the most frequent.
Instagram hacking: Prevention methods
Although you can never guarantee 100% security, there are actionable steps you can take that will significantly reduce the likelihood of falling victim to a hack or mitigate the fallout.
Instagram is a valuable asset for influencers and business owners alike. Providing a platform for communication and advertisement - with a revenue stream to boot. Prior to Notch, there was no service that insured this asset against hacks.
Now with Notch in the game, you can worry less and progress more. We provide you with cybersecurity protection, 24/7 account monitoring, account retrieval, crisis management and, most significantly, we reimburse. For each day your account is hacked, you’ll receive a payment based on your coverage…yes, daily.
Identify fake emails & malicious links
From the 9 hacking victims we interviewed in our blog series so far, here's what we found:
- 57% (4/9) of the hacks were engineered through malicious links sent via email which looked like a legitimate site
- 66.6% (6/9) of the hacks could have been prevented by following email safety practices
The best method of identifying a malicious email or link is by simply viewing it. There are 7 key elements to an email which, through analysis, can give away a hacker’s intentions - the “from” and “to” address, hyperlinks, content or attachments, the email’s subject, and finally the sent date.
In addition, a sense of urgency, as mentioned previously is another common theme - such as demanding immediate action. So, if you are being forced to act urgently, do the opposite and take time to think.
If you’re unsure if a link is malicious then manually search the legit website in your browser. Email is much easier to fool than Google.
Check out Google’s practical demonstration on how to identify a phishing email.
Don’t send sensitive information over email
Personal and private information should not be sent over email. Legitimate organisations have processes and security policies in place and any business requesting information through email should raise some flags.
Use unique, long and complex passwords
Passwords that are not easily distinguishable and contain sensitive characters and numbers will make it harder for an attacker to gain access to your account.
Needless to say, having passwords that involve words relating to your person (such as surname, pet name, address, etc) are considered weak, easily identifiable and should be changed immediately.
Consider investing in a Password Manager, which will allow you to create unique autofill passwords that are a random string of characters, making them very strong and hard to guess. The best part is you only need to remember one password to get into the password manager, the rest is taken care of for you.
44.4% (4/9) of the hacks in our blog series could have been prevented by using unique passwords and multi-factor authentication.
Enable Multi-Factor authentication (MFA) & follow best security practices
MFA provides an extra layer of security through sending a one-time passcode to an email or mobile device, or using an authenticator app. This will mean an attacker would have to also get hold of your MFA code if they manage to gain access to your password.
It’s important to note that whilst gaining access to an account with MFA is significantly more difficult than one without, it’s not impossible - with Jessica Wenjia being a prime example of this. She had MFA in place through mobile verification and still fell victim to compromise. In her case, and identical to victims without MFA, social engineering was the method that spearheaded the attack.
Like a password, never give your MFA code to anyone nor any business other than the one you open an account with - and even then, assess the contents of the message, using the advice about phishing, to ensure it’s nothing malicious. Also, keep the means of your MFA verification, such as the authentication application or mobile phone number linked, private.
Ideally you should be using an application-based MFA (such as Google Authenticator) as opposed to SMS-based, due to the increased security. Additionally, don’t fill out security questions honestly, instead opt to use automatically generated strings - something a password manager can provide.
Remember…MFA is not unhackable, but you can make life difficult for the hacker. Found out more here.
Instagram hacks: Key takeaways
Our How I Got Hacked series aims to give a voice to victims of Instagram hacks and help other creators and business owners avoid making the same mistakes. Through the interviews we can see that no one is safe from these hacking attempts, even the tech savvy can fall for it. However, we can pull in some key takeaways from each:
- Hacked businesses tend to suffer a loss of income and followers, along with a hit on brand image.
- Mental health is impacted by hacks. Our discussions have identified that the vast majority of victims felt stressed, overwhelmed and sad, which was then exemplified by the lack of assistance Instagram had offered.
- There is no evidence to support the idea that Instagram hacks only occur to larger accounts, our examination showed 62.5% of hacking victims had 20,000 followers or less.
- Instagram’s support mechanisms have proven to be a long and unhelpful process due to a lack of communication and assistance.
- Although you cannot guarantee 100% protection, prevention methods (such as MFA, long passwords etc.) will help create a stronger barrier for your account.