In early 2021, Marissa Nelums was thrilled to be on the brink of blue-check verification on Instagram. The Chicago-based designer remembers exactly where she was—hopping into a taxi after attending a friend’s wedding in Mexico—when the message came through, informing her that she’d finally received verification. To seal the deal, she just had to log out of her account and then log back in. Once she logged out, however, she suddenly found that she was unable to log in again.
“It immediately dawned on me what had happened,” says Nelums. Without realizing it, she had signed over her account to a hacker based in Africa. Then, the impersonated posts started rolling in: stories encouraging her followers to invest in Bitcoin, a video showing off the Tesla she’d supposedly purchased with her new riches, and interactions with her followers encouraging them to invest as well. Though Nelums acted fast in contacting the platform’s support team, actually regaining control of her account proved to be a much thornier process.
“What I thought would be as simple as emailing Instagram or Facebook and showing some type of proof that it’s my page turned into a much bigger nightmare,” she says.
Though she didn’t know it at the time, Nelums had joined a rising tide of social media users who have been targeted by scammers seeking to co-opt others’ accounts for financial gain. An Instagram creator account is hacked every 10 minutes on average, adding up to more than 50,000 accounts each year, according to digital asset insurance company Notch. For hackers, it’s a lucrative gig: cybercriminals bring in more than $3 billion in revenue from social media attacks annually. Plus, the prevalence of social media scams generally seems to be on the rise, as the number of victims surged from 46,000 to 95,000 in 2021, according to data from the Federal Trade Commission.
For influencers and content creators who run their Instagram page like a business, the stakes are high—and for designers like Nelums, losing access could mean the loss of a lead generator, a digital project portfolio, a key source of marketing, and advertising and a place to execute brand sponsorship deals. Unfortunately, many designers say response times are typically slow from Instagram’s help desk: Data from Notch reveals that it takes 60 to 70 days on average to recover an account on the platform. Just last month, Instagram took a major step toward helping users recover from hacks, rolling out a new all-in-one support page where users can directly request help retrieving their accounts, report impersonators or obtain help with lost passwords. In another new feature, users locked out of their account can call upon two friends to help verify their identity.
In the meantime, a growing number of design professionals victimized by hackers have been forced to take matters into their own hands. For Nelums, that meant hiring an independent contractor known for his connections at Facebook. He was able to bump up Nelums’s ticket in the help desk queue—but to protect his identity and connections, he only communicated with her via the encrypted Google Voice app. Four days—and a $4,000 payout later—Nelums finally had her account back.
Meg Lonergan’s Instagram scam experience started similarly, with a direct message informing the Dallas designer that she’d been granted blue-check verification. Once her account was in the hacker’s hands, however, the scammer began making demands—namely, asking Lonergan for ransom in return for her account. “It’s a very high-stress situation,” she says. “You’re getting these messages from the hacker being like, ‘If you don’t pay me in 24 hours, your account is gone forever.’”
A friend who’d been through the same ordeal advised Lonergan not to pay, after doing so herself and still not receiving access to her account in the end. Instead, an industry contact put Lonergan in touch with a “good hacker” based in Colombia. The two communicated via WhatsApp, which led to Lonergan paying a $1,000 fee (sent via Western Union) before eventually regaining access to her account three weeks later.
Such incidents have become so common that new, more transparent ventures are popping up to help hacked creators reaccess and proactively protect their profiles. The aforementioned digital asset insurance company Notch was launched by founder and CEO Rafael Broshi in July 2022, and offers Instagram account insurance. In exchange for a monthly fee ranging from $8 to $170 (based on an appraisal of your page), the company provides account monitoring and crisis management, which includes daily reimbursements for each day a creator can’t access their account after a hack.
In the vast majority of cases, says Broshi, hackers use social engineering (methods of manipulating and deceiving users) to convince account holders to hand over their login credentials. Common tactics mimic messages that might seem plausible coming from Instagram itself—false copyright infringement messages, verified badge offers, suspicious activity alerts, and giveaways and brand sponsorships. After a user begins engaging in the messages, the hacker will often send a link to a fake Instagram login page on a pop-up web browser. Once a user inputs their credentials, they’ve effectively handed them over to the hacker.
“There’s never really an attack on the account itself,” says Broshi. “People think that it’s like in the movies when someone hacks into Instagram, but in the vast majority of times, what really happens is that you get tricked into giving away your credentials.”
There are several ways to spot a hoax in the works. For one, communications from Instagram itself are usually delivered through the account interface or via email—never through direct messages. Plus, users can check if an email is legitimate by consulting the record of all security and login emails sent through the Security page on their account. If there’s no record of an email, it’s likely a scam attempt.
Once in possession of an account, hackers may demand a ransom from the account owner, sell the account, scam the user’s follower base (commonly through investment schemes, particularly Bitcoin in recent years), make illegal requests or use the account to run a fraudulent operation. The onus then falls on the original account holder to act fast in order to recover their account before it reaches the point of no return.
Of course, there are sometimes false alarms. Recently, Sara Noble found herself suddenly locked out of her current Instagram account for three weeks. After doing some internet sleuthing, the Kansas City–based designer found out that the platform had accidentally deactivated a number of business accounts. Once she filed an incident report on Facebook, her account was back up and running within 24 hours. On the other hand, she knows that not every situation has such a happy ending: Three years ago, her original account was hacked, and despite reaching out to Instagram and Facebook for help, she was unable to recover access. Before she knew it, someone else was posting photos to her profile and had changed the account name entirely.
In the end, she was forced to start over from scratch with her current account, investing time and effort to rebuild her profile and followers. And even though the latest lockout was a Facebook snafu rather than a hack, Noble wonders how much business she lost in the interim, especially considering that anywhere from 40 to 50 percent of her new leads come from Instagram.
“I can’t even really quantify what I missed out on, because if somebody’s looking for a designer at that moment and wasn’t able to reach me there, that could have resulted in lost sales,” says Noble. “The little girl in me wants to yell at [Instagram] and stomp off in the playground and be like, ‘I’m not gonna play with you anymore.’ Yet the truth is, I need them more than they need me.”
When a hack does happen, Broshi advises acting as quickly as possible. First, Instagram will likely email you (only from the address firstname.lastname@example.org—anything else is likely a fraud) notifying you that the account’s password has been changed. If you act quickly, you can select “Revert this change” and change your password again. If this doesn’t work, you can click “Forgot password” on the Instagram login screen and request a login link. If that still doesn’t work, another effective method is to choose Instagram’s “Can’t recover password” option, which will allow you to report your account as hacked and potentially give video confirmation that you’re the original owner of the account—though this method only works if you have photos of yourself on the account.
Beyond those options, your best bet is to attempt to get in touch with a customer support representative by phone rather than going through the platform’s various help processes and email chains. Broshi recommends a somewhat roundabout approach to doing so that has proven to be surprisingly effective: Create a business account on Facebook, go to the help section, and select “My ad account was hacked.” If even that doesn’t work, it might be time to explore other options.
When Seattle designer Brian Paquette realized his Instagram had been hacked, he knew it would be difficult to catch the support desk’s attention considering the sheer number of tickets that likely come in each day. Still, he hoped to act fast, as according to a Story posted to his account, the hacker was hoping to sell the page to the highest bidder. After doing some digging on Reddit, Paquette’s husband uncovered another helpful tip for bumping a case up in the queue: dropping the phrase, “I’m concerned about my privacy and data,” in his help request. As users on Reddit had discovered, the phrase was a sort of magic key to get through to administrators—within 24 hours, and with almost no damage done, Paquette had his account back.
But ultimately, Broshi says that aside from taking all the necessary precautions—complicated passwords, two-factor authentication, password managers—the best thing you can do to protect your account is to be mindful of when you—and your account—are at your most vulnerable. It could be during a busy period of work, a time of year when an influx of offers come in, or when encountering people you’ve never worked with before. Since so many hacks start with user behavior, he says, the responsibility falls on account owners to keep an eye out for anything out of the ordinary.
“If you’re slightly paranoid, and you’re aware of the risks, the chances of you getting scammed are much lower,” he says.
Homepage image: ©Nuthawut/Adobe Stock