How to Report Phishing on Instagram: A Step-by-Step Guide to Protect Your Account

Written by: Abigail Ivy
Published on:

What Instagram phishing looks like

Phishing on Instagram is a social engineering attack designed to steal your login credentials, verification codes, or personal information.

Scammers often pose as Instagram Support, brands, influencers, or even friends to trick you into clicking a malicious link or sharing sensitive details.

Common phishing attempts on Instagram include fake login pages, direct messages claiming your account will be suspended, giveaway scams, copyright warnings, and messages asking you to “verify” your identity.

Once a scammer has access to your username and password, they can change your email address, lock you out, and use your account to target others.

How to report phishing on Instagram?

If you receive a suspicious message, profile, post, story, or comment, use Instagram’s built-in reporting tools as soon as possible.

Reporting helps Instagram detect malicious accounts and reduce the spread of scam content.

Report a suspicious direct message

  1. Open the conversation in Instagram Direct.
  2. Tap the sender’s name or the information icon.
  3. Select Report.
  4. Choose the reason that best matches the scam, such as spam, scam, or pretending to be someone else.

Report a phishing profile

  1. Go to the suspicious profile.
  2. Tap the three-dot menu in the top right corner.
  3. Select Report.
  4. Choose It’s pretending to be someone else or It’s spam, depending on the case.

Report a phishing post, story, or reel

  1. Open the content.
  2. Tap the three-dot menu.
  3. Choose Report.
  4. Follow the prompts to explain why the content is harmful or deceptive.

When possible, include details that show the content is fraudulent, such as fake verification requests, suspicious URLs, or impersonation of an official brand account.

The more accurately you classify the report, the easier it is for Instagram’s moderation systems to review it.

What to do before you report

Before deleting anything, capture evidence.

Screenshots of the username, profile URL, message content, and any linked pages can be useful if you need to recover your account, file a support request, or warn others.

  • Save the sender’s username and profile link.
  • Screenshot the message, email, or comment.
  • Do not click shortened links or suspicious attachments.
  • Note the date and time of the interaction.

If the scam came by email, check the sender address carefully.

Phishing emails often imitate Instagram’s branding but use unrelated domains or subtle misspellings.

A legitimate Instagram security notice will not ask for your password by email or DM.

How to recognize fake Instagram support messages

One of the most common phishing tactics is impersonation.

Scammers frequently copy Instagram logos, use urgent language, and create fake support accounts to pressure users into acting quickly.

Red flags to watch for

  • Requests for your password, verification code, or two-factor authentication code.
  • Urgent threats such as “your account will be deleted today.”
  • Links to external sites that are not part of Instagram or Meta.
  • Unusual spelling, grammar errors, or strange account names.
  • Promises of verification badges, sponsorships, or rewards in exchange for login details.

Instagram, Meta, and reputable brands typically communicate through official in-app notifications, verified channels, and well-documented help resources.

If a message creates panic and asks for immediate action, treat it as suspicious until proven otherwise.

What to do if you already clicked a phishing link

If you clicked a link but did not enter your credentials, close the page immediately and run a malware scan on your device.

If you entered your Instagram login information, act quickly to limit damage.

  1. Change your Instagram password right away.
  2. Change your email password if it may have been exposed.
  3. Turn on two-factor authentication in Instagram settings.
  4. Review login activity and log out of unfamiliar devices.
  5. Check linked email, phone number, and recovery options for changes.

If you can no longer access your account, use Instagram’s account recovery and hacked account tools from the login screen or help center.

Fast action increases the chance of regaining control before the attacker changes recovery details.

How to protect your account from future phishing attacks

Good account hygiene lowers the risk of future scams.

Security on Instagram depends on more than reporting; it also requires strong authentication and careful link handling.

  • Use a unique password that is not reused on other platforms.
  • Enable two-factor authentication with an authenticator app if possible.
  • Keep your email account secured, since it is often the recovery path for Instagram.
  • Review active sessions and connected devices regularly.
  • Be cautious with third-party apps that request Instagram access.

If you manage a business or creator account, train team members to verify requests through official channels before clicking links or sharing codes.

Attackers often target accounts with high engagement, advertising spend, or brand trust because they offer greater payoff.

Can you report phishing outside Instagram too?

Yes.

In some cases, reporting outside Instagram helps prevent broader abuse.

If the scam includes a fraudulent domain, you can report it to the domain registrar, hosting provider, or browser security tools.

If the message arrived by email, use your email provider’s phishing report feature as well.

When a scam impersonates a brand, notify the brand’s official support team if they provide abuse-reporting instructions.

For financial fraud, identity theft, or stolen funds, local cybercrime reporting channels may also be appropriate.

Why reporting matters for the Instagram ecosystem

Instagram’s reporting tools contribute to spam detection, trust and safety enforcement, and platform-wide fraud monitoring.

User reports help identify networks of malicious accounts that may be operating across multiple profiles, devices, and domains.

Phishing campaigns often evolve quickly.

A fake account removed today may be replaced tomorrow with a new username, profile photo, or message template.

Consistent reporting helps reduce repeat abuse and protects other users from the same lure.

Quick checklist for suspicious Instagram activity

  • Do not share passwords, backup codes, or verification codes.
  • Check the profile name, handle, and link destination carefully.
  • Use Instagram’s Report option on messages, profiles, and posts.
  • Save screenshots before deleting evidence.
  • Change your password immediately if any information was entered.
  • Enable two-factor authentication and review login activity.

If a message feels urgent, asks for private credentials, or pushes you to leave Instagram and sign in elsewhere, treat it as phishing and report it immediately.