top of page

Social media hacking scams: what to look out for

Police forces have reported an increase in social media hackings, both on business accounts and personal accounts. So, how can you spot the tell-tale signs of scams, hackings and fraudulent behaviour online? Allow us...

Blog contents

Social media plays a huge part in our lives. From ‘living your best life’ selfies, taking snaps of your food for Instagram likes, chatting with friends, making memories, reels, memes, stories…it’s omnipresent.

We all use it, but sadly so do criminals. Police forces across the East Midlands have witnessed a surge in criminal activity online with a key aim of the criminal being to extort funds from their victims via fiendish tricks such as phishing, hacking and impersonation fraud.

Kirsty Jackson, Nottinghamshire Police’s Cyber Protect and Prevent Officer, said:

“Having spoken with local victims across the county in response to social media hackings, I have seen first-hand the devastation this has caused victims, leaving them feeling violated, scared and locked out of their accounts without any control over their data, images, reputation and messages.
“The social media hackings I have personally worked on saw a growing trend emerge across each victim I have supported. They have generally reused the same or similar password across all online accounts and have appeared in data breaches, which is the likely point of compromise. Some victims have even been scammed into sharing their 2-Step Verification codes, which is like handing over the keys to their account."

Due to the upsurge in hacking reports to police forces, we want to emphasise that there are simple but very effective preventative measures that can be put in place to better protect your social media accounts.

Let’s take a look, starting with…

Password Security

A staggering - and alarming - amount of people are still using really basic passwords which hackers can easily guess. The UK’s National Cyber Security Centre carried out analysis of passwords leaked in data breaches and found that more than 23 million users worldwide used 123456 as a password! Facepalm emoji!

Make it harder for cyber criminals to break in. Always use a different password for each online account you have, otherwise one data breach or password compromise will put all of your accounts at risk.

Strong memorable passwords can easily be created by combining three random words. For example, you could use: Hippo!Pizza.Rocket1? Note the grammatical insertions. Special characters can also be thrown into the mix to ramp security up even further. A few underscores and an asterisk here and there will beef up your password.

We know what you’re thinking: “But I will never remember all my passwords, especially if they’re complex!”. We hear you. So perhaps consider using a trusted password manager to help store all your passwords across multiple accounts.

Finally - and crucially - NEVER share passwords or authentication codes with anyone, no matter who they claim to be.

2FA ok?

Are you au fait with 2FA? Two-factor authentication (also known as two-step verification ‘2SV’ or multi-factor authentication) is designed to help stop cybercriminals from accessing your accounts by adding an extra layer of security.

Two-factor authentication ensures that any new device trying to log in or make account changes needs a second layer of security before access is given.

2FA includes single-use codes being sent via SMS, email, phone, or smartphone application (authentication apps). This means that if anyone tries to log in to your account - even if they have somehow obtained your password - a notification with an access code will be sent to you, denying them access. Don't EVER share access codes!

Here's how to turn on 2FA for common social media platforms...

Keep up to date

Always keep your device software, apps and other programmes up to date to allow fixes to newly identified security bugs and vulnerabilities. People often consider updates a hindrance. But there’s a good reason why companies issue updates, and it maybe to plug a vulnerability or to thwart malware.

Enable automatic updates and avoid using devices that cannot be fully updated. Back-up regular copies of all your important documents, messages, contacts, photos and videos on a separate device or in the cloud.

What if I use social media for my business?

All the above applies, but check out our extra tips to keep your business accounts secure: Are your business social media accounts secure?

Red flags and phishing

Social media scams usually include some sort of "ask." This is the biggest red flag to look out for. If a brand or person (even a friend or family member) have asked you to do something, this could lead you to becoming hacked as well as putting your friends and family at risk of falling victim to the same scam.

Look out for…

  • Fake Influencer voting - sent via a social media message from a hacked friend or family member to fool users into clicking on a malicious link to vote for them to be a top influencer through a fake competition. This will lock you out of your account. Watch the video from This Morning below to see an example of how this caught an ITV employee out.

  • Giveaways - these might ask that you give away personal info, make a payment, or log into a site in exchange for a prize. This could leave you wide open to a hacking and the inability to access your account.

  • Support - this could be any request of help or support with your social media account from a friend/family member (who will have also been hacked). Never share login credentials or authentication codes. This is like giving over the keys to your account.

  • Random messages - if you receive a random message from someone in your friends list that may ask you to click a link, be cautious. Typically, the message will be designed to fill you with curiosity with questions such as ‘Is this you in this video?’ or, as we have seen recently, the ’guess who’s dead’ scam. If in doubt, message the person and query whether or not they actually sent the message willingly.

  • Bitcoin Investment - if hacked, you could be asked to pay a ransom and/or film a hostage-style video promoting fraudulent cryptocurrency get-rich-quick schemes, as hackers from around the world hijack and hold social media accounts for ransom.

Phishing scams are rife! They dominated the threat landscape last year and are doing so again.

Never click on any unverified emails, texts or other messages (eg. on any social media platform including Messenger and WhatsApp). Verify using a trusted phone number or contact or check via their official website or app.

Never be rushed into clicking a link that requests you to reset your password, enter a competition, or generally to do something on the back of a message received. No genuine person or organisation will phone or message you unexpectedly and ask you to make changes or give them remote access to any of your devices.

We could talk about phishing all day, but luckily, we have also blogged about it previously. Check out our comprehensive phishing blog, 'Let’s remind ourselves about phishing...'.

Impersonation fraud, extortion and a digital hostage situation!

A new breed of organised cybercriminals has penetrated social media, with the aim of stealing your profile and taking your identity.

In the last 12 months, impersonation fraud on Instagram alone has risen by 155%, as criminals target unsuspecting users.

But how do you spot the impersonators and keep your identity safe? Alice Beer recently appeared on This Morning to cover this topic, and she also covers some of the must-know safety tips we have mentioned.

The video is 7 minutes and 42 seconds long, but it’s worth every second if it prevents you from being compromised.

Watch it here...

Useful links

Throughout this blog we have linked to related blogs which offer more information on the topic. We have an abundance of useful blogs on our website, and the East Midlands Cyber Secure website has access to Cyber Aware top tips, helpful videos and the opportunity to sign-up to their webinars.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page