BeWyattBack

How I got phished on Instagram

"Hi, my name is Wyatt Coe. I'm a designer."

"My professional Instagram account @wyattcoe.design was hacked via a phishing attack on 7.4.22.

The attacker is now using my account to attack my friends via direct message and posting Cryptocurrency ad garbage on my story. My linked email (REDACTED) has been replaced with peterfavour0701@gmail.com. I have been contacted via SMS in an attempt to ransom the account back to me.

I have tried every recommended recovery method on instagram.com/help: 1: Recovery PIN - receive PIN then am asked for a 2nd 6 digit PIN that I do not possess. 2: Submit an ID video - attempted and rejected 3 times. I need a person to verify my identity and help me get my account back. This is PAINFUL!

Please help, Wyatt"

- This was the message I sent to Instagram support 3 days after I was phished. This is the story of how my account was lost, then finally recovered. I’m sharing this cautionary tale, to educate about the latest phishing techniques, and to reinforce how important it is to secure your digital identity.

My Professional IG @wyattcoe.design

Chapter 1. Phished!

July 4th 2022, I receive a DM from a high school acquaintance of mine, Zach. Zach claims he has been logged out of Instagram and has been offered 2 contacts that can forward him a code to help him sign back in (one being me).

*Red flag 1: Zach wouldn’t be able to message me if he wasn’t logged in.

*Red flag 2: you’re not supposed to share login codes with other people.

I’m suspicious, but this does sound like a community-based recovery method I could envision IG introducing. I’m too busy sympathizing with Zach’s distress to bother Googling if friend recovery is a thing. I do ask for ID confirmation… and shortly receive a video of Zach in an apartment room saying “Hey It’s me, Zach. See, totally me.”

*Red flag 3: Zach didn’t say my name, or specifically mention login difficulties in this video.

At this point I am convinced it’s Zach and he needs my help. He says to check my messages for a code. I receive the code via SMS. It says “here’s your code.”

*Red flag 4 this code has no association with Zach, it looks like it’s for me. I'm too busy helping my friend to think it through and I press send.

The email confirming my worst fear

Minutes later I get an email from Instagram notifying me that my password has been reset. I don’t see any way to change it back. I check the app on my phone. Logged out. “Shit!” I email myself a reset code, but after inputting it I’m asked for a second authentication token that I don’t have. Worse, I get another email informing me that the accounts associated email address has been changed. The hacker has disassociated my contact information and set up 2-factor authentication to prevent me recovering the account.

Next I get an SMS message from the hacker (who scraped my number) in broken English, offering to sell my account back to me for Bitcoin. How could I have let this happen!? I got phished! I don’t know whether to be more angry or embarrassed.

The key to making me drop my guard was the video. It could have been 1 of 2 things:

1. An archival story video that was taken from Zach’s Instagram account

2. A deepfake of Zach’s face superimposed on other footage to do exactly what it was used to do.

Either way it was clever and highly effective against even a cautious and educated victim.

Chapter 2. Purgatory

There is no Instagram customer support phone number or email...

Having never delt with a compromised Facebook or Instagram account before, I had no idea how difficult the recovery process can be.

I first followed every official pathway in the app to recover the account. Turns out they’re all automated. Turns out there's is no Instagram customer support phone number or email. I locate three recovery processes over the next few DAYS with much prodding:

1. Send yourself a recovery code via email or SMS: I Input the code > if 2-factor is setup - input a 2nd authentication token - don’t have one = DEAD END!

2. Submit a video selfie of yourself to confirm your identity. This is compared to photos of you on your account to prove your identity. While recording, you rotate your head in space so reviewers can confirm you aren’t a deepfake (whaaaat?!): Submitted and rejected 4 times = DEAD END!

3. Send IG an email with ID to manually request support (took me 3 days to find this option in the app recovery flow): Send an email > response includes a single-use recovery link > takes me to the same flow as method 1, which I already know won’t work = DEAD END!

Now what?! I’ve done everything I can possibly do and am no closer to getting my account back. Worse, as the days go by, the hacker is impersonating me, sharing cryptocurrency scam links on my story, and targeting all my contacts in the same manner I was targeted. It’s excruciating to watch. I am fielding dozens of concerned messages daily from friends and acquaintances on every other platform…

In order to follow my main account’s movements and actually use Instagram I create an alt account @bewyattback and had maybe too much fun with the profile pic and description:

I comb the internet for solutions, becoming steadily more depressed as I read stories of people being shut out of their accounts for months and years. Many have no happy ending.

Luckily I’m a designer and I know some people.

Chapter 3. Recovery

Over two weeks later, thanks to the generosity of my professional network I finally managed to reclaim my account. The fact that I can’t share more about the recovery is a testament to how difficult a situation this is.

Meta and Instagram simply cannot support the volume of users on their platform to a reasonable degree.

I say this to reinforce that you should take every precaution to avoid losing control in the first place. Recovery is not guaranteed, or even likely.

I spent the next few days cleaning up the mess the hackers had created: responding with explanations and apologies to hundreds of unsolicited phishing DMs and informing my friends through other channels to tell them I was back. I posted what may have been the first ever selfie video story of myself explaining what had happened.

Silver linings of this whole ordeal:

I hope you found this story informative as well as entertaining. If you have an Instagram account that you care about, make sure you turn on 2-factor authentication and never share codes with anyone!

Give me a follow on IG @wyattcoe.design and DM me if you enjoyed, have your own IG horror story, or just want to chat about design. If you followed my temp account @bewyattback, I’ll be taking that offline shortly, make sure you’re following my main account.

Thanks for reading ;)

Wyatt

Back to blog