I received a phone call last night from someone whose Instagram had been hacked.
This was how it went:
This victim, a female, got a message from a real-life friendly acquaintance on Instagram about her "new business" selling clothes. This was actually believable, because the woman messaging her had started out an actual beauty-related business just two days prior, and in fact had just created a page for that business.
The victim thought, "Oh, that makes sense. I guess she's starting a clothing business, as well."
The victim was asked if she'd like to take a look the new online store, and she said yes. She didn't suspect anything because she knew this person in real life, and knew the first busness was real.
The woman then said, "What's your phone number? I'll text you a link to go see it."
The victim gave her phone number. This, again, was not suspicious to her, because this was only a friendly acquaintance who didn't have her phone number yet.
The victim received a text from one of those 5-digit phone numbers which are typical of businesses sending text messages:
The woman then asked for a screen shot to "confirm your name on the online list of the models".
It is not clear what was meant by "models", as this was not a proposed modeling job -- but rather just for her to look at the store.
The victim should have been suspicious here, but still believing it to be a nice person she knew in real life, she did it. This, of course, gave the phisher access to her account, as this was actually a password reset link, which was texted to the victim's phone number.
The account speaking to her wasn't actually her real-life acquaintance, of course, but likely phished in the same way. It is not clear whether the compromised account was targeted because she had just started an online store, or if this was just a coincidence.
The victim did get her account back, but the process wasn't easy, and sometimes it fails for people. This is because there is no way to recover your account to your previous e-mail/phone number when something like this happens, and the hacker/phisher changes that info.
She had to got through the process of sending a live video to Instagram (no ID, just a video), and hope that the Instagram bots would be able to match her face in the video to the pics she posted. (I'm not sure what happens if you've posted no pictures there!)
Unfortunately, it failed, and she received the bad news from the Instagram automated bot that it couldn't match her face from the video. She made a second video, and that one managed to work. For others, this still fails, and they are locked out for good. There is no way to e-mail Instagram customer service and get a human to read it, and you can't call them.
Once she got in, she changed all of her info back. Not surprisingly, the "verification phone number" had been changed to one with a Nigerian country code.
Supposedly a ton of people have been hit with some form of this "send me a screenshot of the link you were just sent" scam. It works well because it comes from a supposedly trusted source (a real life friend/acquaintance), and because the "Tap here to access your Instagram account" link isn't clear enough that it's a password reset link which will grant access to anyone who clicks it. No idea why Instagram stupidly worded it like that.