Social Media Account Takeover

High SeverityRisingAccount Takeover / Social EngineeringVerified 2026-02-28

Scammers gain control of your social media accounts through phishing links, fake security alerts, or by tricking you into sharing 2FA codes. Once inside, they impersonate you to friends, post fake investment offers, or sell nonexistent items to your followers.

Annual Losses

$262M+ (FBI IC3 reported since Jan 2025)

Avg Loss / Victim

Varies widely by post-takeover fraud type

Primary Vector

DMs on Instagram, Facebook, WhatsApp

Peak Season

Year-round

How It Works

Scammers use three primary tactics to compromise social media accounts. The first tactic exploits trust by impersonating a friend who claims to be locked out and asks you to receive a recovery code—which is actually YOUR 2FA code meant to hijack your account. The second uses fake security warnings appearing to come from Instagram Support or similar platforms via direct message, containing malicious phishing links. The third happens after successful account takeover, when scammers post fake cryptocurrency deals or sell nonexistent items to your followers to extract money or collect personal information.

1Scammer researches target on social media, identifies friends and followers
2Scammer either hacks a friend's account or creates a convincing fake profile impersonating that friend
3Victim receives DM claiming the friend is locked out and needs help recovering the account
4Victim is asked to receive a code via text/email—this is actually the 2FA code for VICTIM's own account
5Victim shares the code thinking they're helping a friend
6Scammer uses the code to access victim's account and locks them out
7Scammer posts fake investment/crypto offers or fraudulent sales to victim's followers

Example Scam Messages

Hover or tap the highlighted text to see why each element is a red flag.

EXAMPLE 1

Hey! I'm locked out of my account. Instagram said I need two friends to help me get back inRed flag: Instagram does not use peer-to-peer account recovery; this is a social engineering tactic. I sent a special recovery link to your phone numberRed flag: The code is being sent to YOU, not your friend—this is the 2FA code for your account, not theirs. Can you copy the code and send it to me?

“recovery link to your phone number” — The code is being sent to YOU, not your friend—this is the 2FA code for your account, not theirs

“two friends to help me get back in” — Instagram does not use peer-to-peer account recovery; this is a social engineering tactic

EXAMPLE 2

I cannot believe this actually worked! I just turned $500 into $10,000Red flag: Unrealistic returns are posted after account takeover to entice victims' followers mining cryptoRed flag: Sudden investment/crypto posts from someone who never previously posted about financial matters signals account compromise. Message me right now.

“$500 into $10,000” — Unrealistic returns are posted after account takeover to entice victims' followers

“mining crypto” — Sudden investment/crypto posts from someone who never previously posted about financial matters signals account compromise

Red Flags Checklist

Friend asking for a security code sent to YOUR phone

Recovery codes are personal to your account, not your friend's. Legitimate services never ask you to share codes.

Sudden crypto or investment posts from someone who never posts about money

This is a strong indicator that the account has been compromised and scammers are using it to solicit victims.

Direct message from 'Support' instead of official app notification or email

Real security alerts come via in-app notifications or verified email addresses, never casual DMs from accounts claiming to be support.

If you didn't initiate a login attempt, a surprise code is a red flag that someone is trying to access your account.

Suspicious link in a DM claiming to be from platform support

Phishing links designed to look like official platform interfaces are used to steal credentials. Real platform support uses in-app notifications.

What Real Communication Looks Like

Legitimate social media platforms never ask you to share 2FA codes, security tokens, or recovery codes with friends via DM or any other channel. Real security alerts come directly through in-app notifications or verified emails from official platform domains (like security-noreply@instagram.com), not through casual DMs. If you receive a code you didn't request, it means someone is trying to access your account—delete the message and secure your password immediately.

What To Do

If you just received this message:

Do not share any codes or links, even if the sender claims to be a friend

Call or message your friend directly (using a known contact method) to verify they actually need help

If the message came from an account impersonating a friend, report it to the platform immediately

Check your account's login activity and active sessions for unauthorized access

Enable two-factor authentication if you haven't already

If you already clicked or gave information:

Change your password immediately from a secure device

Review your account's active sessions and log out any devices you don't recognize

Check for unauthorized posts, changed settings, or linked email/phone numbers

Run a malware scan on your device if you downloaded anything

If credentials were entered, change passwords on all accounts using the same password

Where to report:

Report the account to the platform (Instagram, Facebook, WhatsApp, etc.) using their in-app report function

Report to the FBI IC3 at ic3.gov

Report to the FTC at reportfraud.ftc.gov

Alert the friend whose account was impersonated so they can check their own security

Frequently Asked Questions

Why would a scammer want my 2FA code if they claim to be my friend?

Because they're not actually your friend—they're impersonating someone you trust. The 2FA code they ask you to share is YOUR code, which allows them to log into YOUR account. This is a trust-based manipulation tactic.

What happens to my account after it's taken over?

Scammers typically post fake investment or cryptocurrency offers to your followers, impersonate you in messages to extract money from your friends, or sell the account to other criminals. Your reputation and your followers' trust are at risk.

How do I know if my account has been hacked?

Look for posts you didn't make, unrecognized active sessions in your settings, changed email/phone recovery information, or messages from followers mentioning suspicious posts. If you can't log in, that's a strong sign of takeover.

Sources

FBI IC3 PSA (Nov 25, 2025)
FTC Consumer Sentinel 2024 ($1.9B social media fraud)
FTC ReportFraud.ftc.gov

Got a suspicious message?

Paste it in and get an instant analysis — free, private, no account needed.

Analyze a Message