InstaPhish: Do you crave that blue tick?

Originally published on the UCM blog

On Friday 9 October, the Fitzwilliam Museum unfortunately fell prey to a simple phishing technique that caused the loss of their Instagram account.

Last Fri we were devastated to lose our Instagram account. We were targeted by a sophisticated hacking technique which means that years of content have been deleted & our followers lost. Lessons have been learned & we’re revising internal procedures for social media activity 1/2 pic.twitter.com/WKT2z8vcy9

— Fitzwilliam Museum (@FitzMuseum_UK) October 16, 2020

This post is to explain what happened and to help our colleagues within the sector and elsewhere to avoid the heartache that follows such an event.

So what happened?

Our social media team had for a long time been hoping to get verification for their social media presence. The Fitzwilliam Museum, like many of our peers, is a recognisable brand in the sector and veracity and validation of our content is something we all crave. Late on a Friday night, a direct message appeared in the account inbox, purportedly from Facebook, offering a verified account in exchange for account details – username, password etc. These were handed over in the web form that was linked to from the post.

Within minutes, the Phisher had bypassed two-factor authentication and deleted the account. As the scam was perpetrated late at night, the security emails were missed asking if we’d removed our phone and changed our password.

Now remember this can happen to anyone: staff are tired, the burden of running social media is usually on one or two individuals, mistakes happen.

So what have we done since?

Since the phishing event, we’ve contacted Instagram via the Phishing email and tried various other means as detailed in their knowledge base, to see if we can obtain aid to resurrect our account. So far we have been unable to get any traction. If one reads their help and various articles, it reads that the deletion is irreversible. How can you avoid this happening to you?

The stress of this type of cyberattack can be acutely felt by the team members responsible. To mitigate for these attacks you should try these things:

• Turn on two-factor authentication on your social media accounts
• Use a shared institutional email and not personal one for your accounts
• Ask your IT team to have robust anti-phishing software scanning your email
• Instigate house rules (see, for example, the British Museum’s code of conduct) and perhaps do not respond to direct messages on social platforms outside core work hours.
• If an offer sounds too good to be true, believe the old adage and maybe ask a colleague’s opinion or Google the message. Someone else has usually seen it.
• Use the team working features of packages like Tweetdeck, so you don’t share passwords for accounts.
• Back up your content frequently or if you are technically minded run scripts to mine your feeds at regular intervals:
  • Twitter - download your data
  • Instagram - download your data
  • Facebook - download your data

We hope that this post is helpful to you, and that you all remain free of cyberattacks. If it’s happened to you, remember you’re not alone and the community you build will help you return.

Thank you for all the support you have given us since we announced the loss of our account.