Skip to main content
explainer

Instagram users are reporting an influx of hackers getting access to personal accounts via their networks.Dado Ruvic/Reuters

Instagram users are reporting an influx of hackers getting access to personal accounts through their networks. Once in, hackers will post and promote different forms of digital investments, including ForEx trading and cryptocurrency.

Users say they’re having difficulty regaining control of their accounts. Here are some takeaways on cybersecurity hygiene.

Why does this happen and why on social media?

Once hackers get access to your personal social-media account, they gain access to your followers and your network. It’s also unlikely to get a lot of negative police attention.

“One thing that’s incredibly difficult in Canada is police resourcing for what we’ll call petty cybercrime, the Instagram attacks and hijacks, the ransoming of people’s Instagram accounts,” said David Shipley, CEO of New Brunswick-based Beauceron Security and co-chair of the Canadian Chamber of Commerce’s Cyber. Right. Now. campaign.

Alex Kucharski, communications manager for Meta Canada, said in an e-mail statement the people who “abuse online platforms like ours are always looking for ways to evade enforcement, using new, increasingly sophisticated tactics.”

Social media is particularly vulnerable because its users are not necessarily its customers and the business model doesn’t allow for ideal security measures, Mr. Shipley said.

“There are very few paid social media platforms. … If they force better security on their users, they’re concerned about slowing down subscriber and user adoption rates,” he said.

“If they make social media and security inconvenient, they actually hurt their revenue source, which is eyeballs in front of the advertising.”

Ali Dehghantanha, professor of computer science at the University of Guelph and Tier 2 Canada Research Chair in cybersecurity and threat intelligence, said there is also no definitive way to tell whether these hacks are state-sponsored cyber operations.

Meta, however, said they disclose such operations on a regular basis.

“We disclose co-ordinated inauthentic behaviour by state actors in our monthly CIB reports and quarterly adversarial threat reports, which you can find here,” Mr. Kucharski said.

How can users further secure their social media accounts?

The best defence is a good offence. Prof. Dehghantanha warns it is important to maintain high security standards to avoid cybersecurity attacks and enable the recommended security features on social-media platforms.

Meta suggests the following tips and practices: choosing a complex and unique password that uses a combination of at least six numbers, letters and punctuation marks; ensuring the use of different passwords across different services; revoking access to third-party apps unless, for example, DUO Mobile or Google Authenticator is a primary security method; and turning on two-factor authentication.

“The two-factor authentication is good,” Mr. Shipley said. “What’s key is strong, unique passwords. So having a password manager is important and making sure you don’t reuse passwords.”

Users should also note that Instagram security sends emails from security@mail.instagram.com, according to their help centre. If any personal information is changed, you will receive an e-mail with the option to revert those changes or further instructions on how to request a login link or security code from Instagram.

Websites such as Have I Been Pwned also allow Internet users to monitor their digital security by checking if their e-mail addresses or phone numbers have any data breaches.

How can users recover their accounts if they are hacked?

Meta said the best course of action to recover hacked Instagram accounts is to visit their help centre online. Their customer service number at 650-543-4800 is an automated line that, when selecting “Instagram” on the first menu, says they are unable to provide phone support for most situations.

Mr. Kucharski said they are paying close attention to financial scammers and the different tactics to mislead people: “We have sophisticated measures in place to stop bad actors in their tracks before they gain access to accounts, as well as measures to help people recover their accounts. We know we can do more here, and we’re working hard in both of these areas.”

Mr. Shipley, however, doubts there’s much users can do in the case of a malware infection.

“But if someone sends you malware and then somehow steals your information and infects your device, you’re on your own,” Mr. Shipley said. “If you read your user agreements that you sign up with, there’s very little you can do about it.”

Why are digital investments a common hacking scam?

Simply put: Digital investments such as Bitcoin and ForEx enable the movement of large sums of money, it operates outside of the regulated financial industry and it is harder for authorities to track. It’s therefore lucrative for scammers and easier for them to steal your money if you invest.

Mr. Shipley said partly why they need social media accounts is to “straight out pump and dump” so they can increase the value of that cryptocurrency. “They also need more daily activity buying and selling crypto in order to actually convert their crypto into things that actually buys them stuff,” he added.

In other words, when scammers or hackers convince people to inject cash into the crypto economy, it gives other people the opportunity to cash out.

“One of the most powerful forces in manipulation is fear of missing out,” Mr. Shipley continued. “This goes back to the days of penny stocks and boiler rooms, sort of The Wolf of Wall Street world. It’s the same game just played differently and everyone thinks because it involves tax, it can’t be a scam.”

If someone is actually interested in cryptocurrency, where should they start?

Not with the compromised social-media account asking you to click a link, vote, send a video or screen grab anything for them, that’s for sure.

“I would look to regulated firms in Canada,” Mr. Shipley said. “But right now I would highly recommend not to. If you want to blow money, go to your local casino.” (The crypto market experienced a crash earlier this month for a multitude of reasons including soaring inflation and interest rates, as well as instability caused by the Russian invasion of Ukraine.)

“And if you have significant cryptocurrency assets, you have to be aware that people will try to steal them. They’re not safe simply because they’re digital.”

When you see a hacked account, what should you do?

First thing’s first: do not interact with it. Whether that’s clicking on a link, sending a screengrab, responding to their messages, engaging in conversation or doing anything at their behest.

A common tactic for hackers is to send direct messages from the personal Instagram account they hacked asking for help. Sometimes they may text you a link and ask you to screengrab it back to them.

“Besides reporting it and blocking it, there’s not much else you can do,” Mr. Shipley said.

Although, just because an account has been hacked and reported, that doesn’t necessarily mean that it will be removed, according to Mr. Kucharski.

“When we’re made aware of a hacked account, we work to restore access to the correct owner. We remove content and accounts if found to be in violation of our Community Standards,” he said.

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.