Security researchers at Sophos Group plc are warning of a new phishing scam that attempts to trick Instagram users with a fake two-factor authentication message.

The messages, claiming that someone has tried to log into a user’s Instagram account, are designed to look as close as possible to official Instagram messages. “Apart from a few punctuation errors and the missing space before the word ‘Please’, this message is clean, clear and low-key enough not to raise instant alarm bells,” the researchers note.

The use of a fake 2FA at the end of the message (pictured) is said to be a particularly interesting touch as being a security code it implies a certain level of security.

When a user clicks through on the link, they’re taken to a site on a .cf domain name that appears to be identical to the Instagram signup page. “The phishing page itself is a perfectly believable facsimile of the real thing, and comes complete with a valid HTTPS certificate,” the researchers note.

Even though the domain name, which isn’t disclosed by the researchers, is not that of Instagram itself, the use of an HTTPS certificate which delivers a padlock on the scam page is another attempt to draw users in as people have been trained to look for it as a sign of security.

“A site without a padlock definitely isn’t to be trusted, in the same way that typos and grammatical errors should turn you away; but a site can’t automatically be trusted just because it has a padlock and was advertised with emails that were spelled correctly,” the researches add.

This is not the first phishing or hacking attempt targeting Instagram. As the fifth-largest social network in the world by active users as of July, Instagram is a popular target for hackers.

Users of Instagram were targeted in a phishing campaign that included fake copyright messages in March. In that case, users would receive an email coming from an official-looking URL that reads “we regret to inform you that your account will be suspending because you have violated the copyright laws. Your account will be deleted within 24 hours. If you think we make a mistake please verify, to secure your account.”

As in this new phishing attack, users were taken to a fake Instagram login page where they were prompted to input their Instagram credentials.

The Sophos researchers advise users to never click on a sign-in link received via email and to always sign in via the app or webpage; check for an unexpected domain name; and to be wary of any notices that their accounts may have been compromised. If users are concerned about their account being compromised, they’re advised to use the account’s official way of checking login activity.

Image: Sophos