I got a weird message from someone I don’t know on Instagram this morning, saying they needed help getting back into their account. They sent me a link that said “Tap here to reset your password” and wanted me to forward it to them. Normally I wouldn’t bother with answering back, but I was at the gym and peddling away on the recumbent bike, so I thought it might be entertaining to see how long I could string the scammer along and see if they got frustrated. Once I started, I felt a little invested in seeing how long I could stretch it out! (**If you fell for this scam, I’ve included an update at the end that includes how one person managed to recover their account)
We kept this going for six hours over the course of the day, and it all started with this message:
So then I got a suspicious reset link:
I wasn’t entirely sure how they are sending the link to my phone, but you can be sure I wasn’t clicking on that thing. A quick Google search came up with dozens of reports of a phishing scam that starts with a text that says “Tap to reset your Instagram password” along with a link that starts with https://ig.me…and followed by a bunch of letters. The Instagram person wants me to forward them the link so they can verify their account. That just seemed really weird, so of course I had no intention of actually doing it.
I scribbled out a bit on the link so nobody actually tried it or sends it to someone. Out of curiosity, I went to Instagram and tried to log in under his username and pretend I forgot my password to see if it said he’d get a reset text. What it said was the account was locked due to suspicious activity and they’d send a reset link to the e-mail. I found it odd that it didn’t say anything about a text, only e-mail.
But that confirmed the Instagram account was most likely hacked, and this person was up to no good. By now we had gone back and forth a bit and he was getting desperate. And somehow we have now become best friends! I decided to just keep us going in circles for a bit.
Here’s Your Link, Send Me a Selfie
So we went back and forth for a while. I think he sent me the link 5 or 6 times all together. So at one point, I decided to send him a link I had found online just to see what would happen. Surprise! It didn’t work and he didn’t seem too happy about it. But unfortunately, I am the only one he can trust right now. Even though I have never interacted with this person before and he apparently have over 2,000 other “friends” he can contact on Instagram.
Then I thought maybe I should challenge him to prove himself! I asked him to send a selfie. It took him a minute, but he sent me one back. A quick scroll through the person’s IG account showed the same selfie pic he supposedly just took was actually from over a year ago. One of the only non-cosplay pics on the guy’s account, so it took Mr. Scammer a while to find it. I put the black bar over the person’s face since it is his photo and I’m pretty sure he’s not the one who actually sent it. (the lower half is a mask)
Let’s see how long we can keep this going!
We went back and forth several more times, with me being extra helpful and offering to click on his link for him, contact Instagram and ask them for help on his behalf, and have him send me the link a few more times just for shits and giggles. By now I am really surprised he’s still chatting with me. He’s really got perseverance, and I’m wondering if I should just tell him I’m never going to send him the link. But then, I wouldn’t want to just drop my best friend like that, so I kept it going a bit longer. He sent me the link 12 times total before giving up!
This guy really really wanted me to send him that link! It’s too bad I never figured out how to make it work….lol. These texts are just a small sampling of our conversation over the course of the day, where I pretended to get increasingly confused about how links work, how to cut and paste and how to follow basic instructions.
While I was doing all this, I did take the time to report his account to Instagram to alert them it had been hacked. And somewhere along the way, I decided to start screenshotting because it was just too good not to share. And also, hopefully somebody will see this and not get scammed. I’m still not sure exactly what this scam accomplishes, but my guess is maybe that is a real reset link meant just for me and they will use it to reset my password. Or maybe it’s a special link and it will verify my phone number…I have no idea but best to play it safe. And in the end, after a full day of texting, he did finally give up.
I’d be interested to hear if anyone else has had someone request them to forward them a password reset link for Instagram. I’ve learned to just never click a link I’m not sure about, and not to trust people I don’t know online. I did that once and got my Facebook page stolen! That experience was terrible, and that scam is still going on. Pretty much not a day goes by without someone contacting me to advertise on my Facebook page and pay me big money. Don’t fall for that one! That’s a scam too unfortunately.
UPDATE: I’ve gotten several of these messages over the past month, all from people whose accounts have been stolen. Do not send anyone that reset link! If anyone sends you that message, report their account to Instagram.
UPDATE 2: One of the comments on this post included details on how one person managed to get their account back, so I’ve copied the comment here:
(comment from Vlad) Quick recap of my situation: So I fell for the friend verification link scam and I got locked out of my account because the hacker set up two factor authentication and changed the password. They then removed my email and phone number from the account and on top of that changed my username slightly so that Instagram no longer could find an account under my username, number or email. Luckily I knew what the changed username was as my gf sent me a screenshot of it.
My solution: So I tried logging into my account but since it was no longer under my info, it would tell me to either try again or get help.
I selected the get help option where I chose the reset password option. From there, I could either send a code to my email or phone number. But since the hackers set up two factor authentication, I couldn’t complete the password reset.
If I remember correctly, there was a ‘more options’ choice. Clicking it gave three options, two of which were entering backup codes or report account as hacked.
That option then leads to two more options. If you have photos of yourself on your account, you submit a video selfie of yourself and they should get back within a day or two whether they verified your identity or not. If you don’t have photos of yourself on your account, you could submit information about how you set up your account and they’ll look into to verify if you’re you. I’m not sure how long that option takes but it could be longer than the video verification.
Since I had photos of myself on my account, I chose the video selfie option. The first one I sent in was in the morning and they got back to me by that evening verifying my identity and gave me four steps to take, and 8-digit code, and a reset password link. Sadly the reset link was broken, so I had to resubmit another video selfie in the morning.
This second one had some issues with giving me the video selfie instructions but I got through it and submitted it. They got back in the evening but this time couldn’t verify my identity with the video and requested I send in another one.
So I send in a third video selfie immediately and assumed it would take another 8-10 hours for them to respond but within 10 minutes, they got back to me and third times the charm, they verified my identity and the password reset link worked. I immediately followed the four steps and got back into my account.
The first thing I did was turn off two factor authentication and then turned it back on, this time setting up my own two factor authentication. I added my email and phone number again and unblocked those the hacker blocked after they confronted them for the bitcoin mining scam they were pushing. I did get a login request from the hacker but I obviously denied it and reset my password once more and had no more issues after that. I’m definitely going to be extra suspicious about these things going forward.
*Thank you to Vlad for sharing his experience about how he got his account back!
~~~~~~~~~~ * ~~~~~~~~~~~
About the Author
Candy Keane is a digital content creator and long-time cosplayer, most well-known for being on the cover of the Star Wars documentary Jedi Junkies. After making costumes professionally for over a decade, she now writes about about geek culture and mom life, and continues to cosplay for fun, while sharing her love of costumes on Instagram @SewGeekMama. Her first children’s book, I’m Going to My First Comic Convention, was published in 2020 and won a Story Monsters Approved award for Excellence in Literature.