Blog

HomeNewsInsightsPeople & Impact
Research

Instagram Support Scams: How Criminals Trick You into Handing Over Your Account

Fake support messages are hijacking Instagram accounts. Here’s how the scam works and how to stay in control.
Luis Corrons
Security Evangelist at Gen
Published
June 9, 2025
Read time
5 Minutes
Instagram Support Scams: How Criminals Trick You into Handing Over Your Account
Written by
Luis Corrons
Security Evangelist at Gen
Published
June 9, 2025
Read time
5 Minutes
Instagram Support Scams: How Criminals Trick You into Handing Over Your Account
    Share this article

    Imagine you're going about your day when suddenly you receive an urgent message on Instagram. It's supposedly from “Meta’s Advertising Support Center,” warning you that your account is about to be disabled due to policy violations. The message includes official-sounding language, a Meta logo, a tight deadline (today!) and a link to “verify” your identity. 

    That’s exactly what is happening to influencers and business owners daily, when they receive a message like the one below: 

    Scam message from fake "Meta Advertising Support Center"
    Scam message from fake "Meta Advertising Support Center"

    The messages are part of a growing wave of social engineering attacks designed to hijack Instagram accounts and steal access to their audiences.  

    How the scam works 

    When someone clicks on the link, they’re taken to a phishing site that mimics Meta’s interface. It asks the victim to “Request Review” to prevent their account from being disabled, a tactic that prompts them to enter their login details. 

    Phishing page posing as Meta
    Phishing page posing as Meta

     After submitting login information, the next step asks for their password. 

     Since many people now have two-factor authentication (2FA) enabled, the attackers also try to steal that second layer of security by requesting the authentication code, all under the guise of “identity confirmation.” 

     Once the scammers have the credentials and 2FA code, they immediately lock the victim out of their account, change the login info and take full control. 

    Key elements of the scam 

     This scam follows a typical phishing pattern. Here’s what to look for: 

    1. Impersonation of authority: The scammers pose as a legitimate Meta entity — “Advertising Support Center.” The name sounds official, and they use a generic support logo to appear credible.
    2. Urgent language: The message claims your Instagram and Facebook accounts will be disabled today due to violations, creating a sense of panic that pressures the victim into acting quickly.
    3. Fake justification: The message states that the linked Facebook page doesn’t comply with Meta’s terms, suggesting a policy violation that needs to be resolved immediately.
    4. Malicious link: The person is told to verify their account by clicking a suspicious URL. The domain looks vaguely like a Meta service (businessmetasuite.com-complaintsupportpage...click) but is clearly fake.
    5. Phishing page: The link opens a page that mimics Meta’s interface and asks the victim to “Request Review” to prevent their account from being disabled. Victims are prompted to enter their login credentials.
    6. 2FA bypass: Since many Instagram accounts now have two-factor authentication (2FA) enabled, attackers know that just a password isn’t enough. These phishing pages are designed to also capture the second factor by requesting the code from the victim under the pretense of confirming their identity. This gives attackers everything they need to log in, bypass security and lock the victim out. 

    What the attackers are after 

    In these scams, cybercriminals aren’t looking to steal passwords just for fun, they’re after influence, money and access. An account with thousands of followers, especially one used for professional purposes, is a very valuable asset. Once hijacked, it can be used to: 

    • Push scams to followers (like investment fraud, phishing links and fake giveaways)
    • Demand ransom from the original owner
    • Sell the account on underground markets 

    The goal is to gain control of the account, lock the original owner out and monetize the audience. 

    What to watch out for 

    These scams can be surprisingly effective, especially for people who manage business or creator accounts. Here’s how to spot and avoid them: 

    Red flags: 

    • Messages from accounts with very few followers or no verification badge
    • Urgent threats about account deletion or policy violations
    • Requests to click external links for “verification”
    • Grammatical errors or awkward phrasing 

    Tips to stay safe: 

    • Never click on links in DMs from unknown accounts. Meta and Instagram will never ask you to verify your account via private message.
    • Check the sender’s profile. Official Meta accounts are verified and won’t have names like advertisingsupportcenter0798.
    • Use two-factor authentication on your accounts to prevent unauthorized access.
    • Report the account to Instagram if you receive one of these messages.
    • Educate your team. If you manage your account with others, make sure everyone knows how these scams work. 

    Why this matters 

    For businesses and creators, Instagram isn’t just a social platform, it’s a channel for visibility, customer engagement and income. Losing access can have a direct financial impact. 

    Scammers know this, and they’re getting better at creating convincing traps. The more awareness we raise, the harder it is for them to succeed. 

    Stay alert, stay safe — and remember, real support never slides into your DMs. 

    Luis Corrons
    Security Evangelist at Gen
    Luis has worked in anti-virus for over a decade. Outside of Gen, he's a WildList reporter, chairman of the Board of Directors of AMTSO (Anti-Malware Testing Standards Org) and a member of the Board of Directors of MUTE (Malicious URLs Tracking and Exchange).
    Follow us for more
    Blog Archive