'I let my guard down': Scammers targeting small business owners with Instagram takeover trick
Scammers are duping small business owners into sending the password reset link to their Instagram page under the guise of confirming their identity.
SINGAPORE: Small business owner Dayana Rizal, 27, is no stranger to dealing with online buyers, but the one she encountered on Oct 3 seemed particularly - in her words - "harmless".
Ms Dayana, who sold clay mugs on her now-defunct Instagram page potekceramics, said the buyer was a sweet talker who seemed clueless about how to purchase her mugs online.
The buyer, using a private Instagram account with a few hundred followers, sent Ms Dayana a direct message with a screenshot of her wares, saying: "I want to buy this."
"There were multiple items inside (the screenshot), so in my head I was thinking like, there are so many (products) inside - which one do you want to buy?" Ms Dayana told CNA, recalling her exchange with the buyer during some lull time at work.
"So I just assumed it was like a clueless makcik or aunty who was blur and didn't know how to order through Instagram. I think I let my guard down also because the person behind the account was calling me 'dear' and all that."
Ms Dayana, who works in a pottery studio and conducts workshops, then referred the buyer to her website, asking them to check what was available and complete the purchase there. But the buyer insisted on buying through Instagram.
"I guess she really doesn't know how to use the computer," Ms Dayana remembered thinking then, laughing at her own naivete. "I sound so stupid now that I'm recounting it.
"I was honestly trying to close the sale because it's always exciting when someone wants to buy your stuff," she added. "But also I wanted to help her; not everyone knows how to use a website."
Ms Dayana relented, telling the buyer they could send the money to her mobile number. The buyer then asked how much it would cost to deliver to Yishun, so Ms Dayana replied that it was a S$5 delivery fee islandwide.
The buyer's next question, however, led to the first red flag.
The buyer asked if she was the owner or admin of the potekceramics Instagram page, ostensibly to verify that they were dealing with the business owner. Ms Dayana confirmed that she owned the business.
"She was like, okay, just to make sure, I'll send in a request to Instagram to send you a message just to check whether you're the real owner or not. Once you receive the message, can you send me a screenshot? Then I'll make the PayNow to your number," she said.
What Ms Dayana did not realise was that the buyer was actually using Instagram's password reset function to take over her account.
Ms Dayana then got a text message from Facebook with a link to reset her Instagram password. Without "thinking" or scrutinising the message, she took a screenshot of it and forwarded it to the buyer.
"I didn't look at it carefully. I thought it was just like a message from Facebook to verify that I'm the real owner," she said, admitting that the official nature of the message threw her off, and that it was so quick and easy to take a screenshot of a message and pass it on.
"I was really clouded by, one, I wanted to close the sale. Secondly, I just thought she was a harmless aunty. I thought she didn't want to be scammed, and I understood also because I didn't want to be scammed.
"But in the end, I also got scammed."
SMALL BUSINESS OWNERS TARGETED
Other small business owners have encountered buyers who try to use this seemingly simple method of taking over an Instagram account.
On Sep 21, the owner of handmade jewellery business Ellaie took to TikTok to recount how she was almost deceived by the same ruse, saying in a video that the buyer who tried it was very "unassuming".
A Straits Times report on Oct 2 also detailed how a man who sold kueh lapis on Instagram fell victim to the method, losing access to his account and a large number of his 5,000 followers, some of them loyal customers.
After Ms Dayana sent the buyer the screenshot of the message, they said thanks and she did not think much about it. But less than an hour later, when she opened her Instagram app, a pop-up said she had been logged out.
Ms Dayana went back to that official message Facebook had sent, and realised that it was a link to reset her password. She tried the link but it did not work.
She then tried using her username and phone number to sign in to her page, but the app said the username and number did not exist. She realised that she had lost all access to her Instagram page.
Ms Dayana was panicking at this point, especially as the person who took over her page had blocked her personal account from viewing it too.
She tried using Instagram's account recovery function, which asked her to send a video selfie to confirm her identity. Instagram emailed her on the same day saying it could not identify her, asking her to submit another video. She has not done so and has not received any word from Instagram since.
Ms Dayana said she got frustrated.
"I shouldn't have to put in so much effort to try and get back my account. I kind of want Instagram to take down the account," she said, adding that she plans to reach out to Instagram and browse Reddit for tips.
A quick check by CNA on Oct 13 confirmed that the potekceramics page - now with a slightly modified page name - remains online, although the scam posts have been deleted.
In response to queries from CNA, Instagram's parent company Meta said it is committed to safeguarding the integrity of its services and protecting its community from hackers, scams and other inauthentic behaviour.
"Online phishing techniques are not unique to Meta, and we will never request your password via email or direct messages. Any official correspondence from Meta on people’s accounts can be accessed via the support requests to help verify authenticity," a spokesperson said.
"We strongly encourage our community to be aware of phishing scams and turn on two-factor authentication in their settings to protect their account."
Ms Dayana's friends sent her updates about her page, saying that the new owner was posting investment-related scams and sending direct messages to her followers about it.
Some of the scam posts were plastered on a picture of Ms Dayana and her boyfriend, which she believes was downloaded off her highlights reel. She found this "creepy".
Ms Dayana's friends reported the account to Instagram and blocked it in hopes of flagging it as being hacked. Some of them also messaged the new owner, telling them to give it up.
The new owner was brazen in their response, Ms Dayana said, adding that they "liked" the angry messages and told her friends to stop wasting their time.
"It just felt like a bit more targeted and quite personal," she said. "Not like a random robot that's trying to scam you."
One friend said that one creator she follows had also been approached with the same tactics by the same buyer on the same day that Ms Dayana was fooled.
Ms Dayana said she was not worried about losing customers, highlighting that her pottery friends with large followings had posted about the incident and pointed her followers to her new Instagram page, potekceramic.
Her old page, started in early 2021, had about 600 followers.
"I didn't want my brand to be associated with this kind of scam, so that's why I didn't really bother trying to recover that account. Because to me, it's already tainted. So, I already created a new account just to start afresh," she said.
"I'm not that worried about losing followers because I know that those who really care about my brand and the work that I make will find me one way or another."
"JUST BE A BIT MORE PRESENT"
Ms Dayana said she is considering making a police report but acknowledged that she has got over the frustration of losing her account. She said she is telling her story so others do not fall for the same trap.
"You know, life is more than just Instagram, so I've been busy like actually working," she said.
Ms Dayana said the incident has left her wary of doing business through direct messages on Instagram, adding that she recently removed a "weird" follower and blocked them out of caution.
She advised small business owners who deal over Instagram to really look into a buyer's account and be vigilant of what they are asking for.
"Don't get so into the moment when you want to make a sale. Just be a bit more present," she said, adding that she felt "greedy" at the point of getting tricked.
"Even if the message is from Facebook, I think other people should read carefully about what the message is telling them to do."