Instagram ‘verification code’ scam: Criminals attempt to hack into people’s accounts with distressing attack

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Scammers are attempting to break into people’s Instagram – and in a fresh, distressing way.

In recent weeks and months, reports of a “verification code” scam have increased all over the internet, as attackers look for new ways to break into accounts.

The scam begins apparently innocently, with a message from a friend’s account. They will generally claim that they have lost access to their account for some reason, and that Instagram has told them to pick a friend to receive a verification code on their behalf – before asking the targeted person for help.

If they agree, they will receive a code, and are then asked to hand it over in the message. But the code is actually for their own account – and the person they believe is their friend is actually an attacker that has broken into their account.

If people are taken in, then the attackers will use that code to break into their own account. From there, the scam will presumably continue, using the victims’ account to message their friends, and get access to even more accounts.

Being targeted by the scam can be a distressing experience. People have reported receiving messages from hacked accounts belonging to dead friends and family, or scammers that have tried to pretend they have found victim’s lost pets and lure them in with the promise they will be returned.

The scam works because Instagram – and many other platforms – offers a way to get into accounts when their owners have lost access, such as when they have forgotten their password.

In order to give them access, Instagram sends a message to the phone number registered to their account, and input that back into the app. That ensures that the person trying to get in has access to that registered phone.

In the hack, however, it is scammers who press that button, and have the verify code sent to the victim’s phone. So when the victim hands over the code they believe is for their friends account, it is actually their own, and they lose access to their account.