When Irene Gee received a direct message on Instagram from her chihuahua’s groomer last month claiming a bitcoin mining opportunity earned him over $13,000 from a mere $700 investment, she was eager to get on board. After all, she knew him, he presented photos of the deposits to his bank account as proof — and, anecdotally, she’d heard countless stories about people making money on crypto.
He ultimately directed her to wire over $7,700 across four transactions addressed to a woman named Tricia who he claimed was his “mentor” — one to the mobile payment service Cash App, another to Venmo, and two to Zelle. He told Gee the more she invested, the more she would get back.
But Gee, 44, never got paid and the person requesting the payments turned out to be a thief who hacked her groomer’s account.
Gee and two other Instagram users share their experience dealing with an elaborate money-flipping scam running rampant on Meta’s (FB) popular social networking platform in which fraudsters take over an account and masquerade as the user to target friends and family, soliciting cash transfers by promoting a fake investment opportunity. Once hackers receive payment, they hold their victims’ payments hostage and blackmail them into filming a video endorsing the scam by promising their funds will be returned. The scammers use the videos to target individuals who know the original victim personally.
Users at the center of such scams said requests for help from Instagram went largely unaddressed and efforts to regain control of their accounts failed, even after repeated pleas to the social media platform.
“We know we can do more here, and we’re working hard in both of these areas to stop bad actors before they cause harm, and to keep our community safe,” a Meta company spokesperson told.
Paul Ducklin, a cybersecurity expert and principal research scientist for the U.K.-based security software company Sophos, said Instagram is a platform on which users are particularly susceptible to these types of “heavily-targeted” scams due to the availability of personal photos and direct access to acquaintances and loved ones.
“This is about the fact that the crooks are pretending to be your buddies,” Ducklin told. “Once they can do that, they don’t have to be super clever in the message because you’re inclined to trust it anyway.”
It took Gee a month to regain control of her compromised account, but only after it was used to target her friends and family for weeks. In hopes of getting her money back, Gee fulfilled a list of demands from the hacker — including filming a video of herself promoting the scheme.
“My friends kept sending me all these personal pictures they kept using from my hacked account and I told them to block it and not respond,” Gee said. “I had been trying to get a hold of Instagram each and every day when I knew the account got hacked and I never heard back from them.”
She even filed a security affidavit with Citibank and a police report with her local precinct but she was not able to recover the payments she made.
That was the case for Simona Zhukovski, 26, who received a message from an acquaintance in Florida requesting a testimonial for a foreign exchange-trading business he said he started. Eager to help a friend, she recorded a video of herself endorsing the investment startup (which was fake) and followed his directions thinking she was doing someone she personally knew a favor.
“He led me step-by-step, and I stupidly didn’t even realize that this guy basically led me into letting him hijack my account,” said Zhukovski, adding that once he gained access, he changed her login credentials. After contacting the friend who she thought was controlling her account, he informed her his account, too, was compromised and it was not him behind the scheme.
She desperately contacted Instagram “every five minutes” to stop the takeover, but her attempts too were unsuccessful.
“It’s easy to say that Meta could solve this trivially because they could just help the real people trying to get their accounts back — but if they’ve made it too easy for you to recover your account, then guess what? The crooks would use the account recovery process as a way of compromising your account,” Ducklin said.
“It was like the hacker turned my account into a bot,” she said, noting that messages from the hacker, pretending to be her, and the video Zhukovski recorded promoting the foreign-exchange investment opportunity were spammed to friends who were asked to send Cash App payments.
It took Zhukovski two months to regain access to her Instagram account — and not by using the platform’s Help Center, but after her cousin solicited assistance from a friend who happened to work at Meta.
More than 95,000 people in the U.S. reported about $770 million in losses to fraud initiated on social media platforms in 2021, according to a report from the Federal Trade Commission published earlier this year. The figure is 18 times as high as the number reported in 2017, and accounts for about 25% of all reported fraud losses in 2021.
Moreover, investment scams made up 37% of those losses, with 64% of the reports related to cryptocurrency.
Gary Chelnis, 26, received a direct message from an Instagram friend asking to help him win an online competition. Chelnis then received a link from the friend to cast a vote that first directed him to enter his email and password before he could proceed. Chelnis initially used credentials for his Instagram business account, and then entered information for his personal account once the requestor said it did not work the first time — granting the hacker access to both of his Instagram accounts.
Before he knew it, the accounts were being used to promote another get-rich-quick cryptocurrency investment scam.
The hacker booted him out of both accounts preventing him from accessing them. Chelnis attempted to use a new security feature in Instagram’s Help Center that guides users to record a front-facing video to prove their identity so they can send a password recovery link, but he described the effort as a game of cat and mouse.
“Every single time I tried the reset, it would still log me out because it would not give me enough time to complete the two-factor authentication,” he said. “It was like battling a bot.”
People underestimate the value of their social media passwords, Duckin told, adding that they mistakenly place more importance on securing login credentials for bank and 401(k) accounts, when “there is gold in social media accounts” for cyber criminals.