Instagram users are currently targeted by a new phishing campaign that uses login attempt warnings coupled with what looks like two-factor authentication (2FA) codes to make the scam more believable.
Crooks use phishing to trick potential victims into handing over sensitive information via fraudulent websites they control with the help of a wide range of social engineering techniques, as well as messages designed to look like they’re sent by someone they know or a legitimate organization, Bleeping Computer reported.
A phishing campaign that uses fake 2FA response gives the illusion of a secure communication but in reality, it is the exact opposite. It’s almost like social engineering, in which someone wants to do the right thing but doesn’t think it all the way through.
Emails coming from an Instagram imposter is just a small indicator of the types of attacks and damage could be possible in the future. Imagine if a criminal got access to an email list of customers from a bank, targeting them with the same type of attack? The result could be catastrophic financially for both for the customer – not to mention damage the bank’s reputation. What customers need to know is that strange domain names and “click here” or “sign-in” links on an email or landing page are dead giveaways for a phishing campaign.
Today, organizations are finding creative ways to both train their users against phishing and ways to test their own training such as sending out test phishing emails. The problem right now is figure out, as an industry, we do the same for the consumer. With no programs to test users’ personal email addresses against this type of attack, everyday users are at an all-time-high risk.