Spot fake brand-collaboration pitches, friend account-takeover ‘help me’ messages, and crypto / investment pivots arriving via Instagram DM — with verification rules tuned to the platform.
Last reviewed: 13 May 2026 · ScamSupport research
Why Instagram DMs are a high-volume scam entry point
Instagram has over 2 billion monthly active users globally with a high concentration of UK users in the 18-35 demographic that scammers target most aggressively. The platform’s DM channel combines three properties that make it scam-prone: messages arrive from strangers as easily as friends; profile authenticity is hard to verify; and Meta’s account-takeover recovery flow is famously slow (often 7-14 days).
Instagram-DM scams skew toward platform-specific patterns rather than the bank-impersonation phishing that dominates SMS. Three patterns account for the majority of 2026 UK reports: fake brand-collaboration / influencer pitches, friend-account-takeover “help me” messages, and crypto / investment pivots that resemble the LinkedIn mentor pattern but with less subtlety.
Three Instagram scam-DM variants currently in circulation
How it presents: An account claiming to represent a real brand (Adidas, Gymshark, ASOS, Boots, Daniel Wellington, MyProtein, etc.) DMs the recipient with a collaboration offer. The account profile may have a few thousand followers, a polished bio, and recent posts that look on-brand. The offer: free product in exchange for posting on the recipient’s feed. The link routes to a fake landing page that collects address, phone, email and sometimes a small shipping fee with card details.
Red flags:
Real brand collaboration teams don’t cold-DM accounts with low follower counts. Real brand partnerships start at influencer agencies, established creator marketplaces (Influencity, Aspire, Tribe), or via a brand’s own creator-application portal — not unsolicited DMs to accounts with under 50k followers.
The brand account is not the verified one. Real brands have a blue tick. Variants with usernames like @adidas.uk.official, @gymshark_collabs, @asos_partnerships_uk are imitators. Check that the account is the brand’s actual verified Instagram before responding.
A “small shipping fee” is requested. Real brand collaborations don’t charge influencers shipping. The fee is the actual scam mechanism — small enough not to trigger your suspicion, harvest of full card details is the value extracted.
You’re asked to fill out an “application form” on an external site. Real brand applications happen on the brand’s own domain (e.g. creator.brand.com) or via established platforms. Forms on lookalike domains are credential-harvest pretexts.
Time pressure — “respond within 24h to secure the spot”. Real brand campaigns have weeks-long timelines, not 24-hour windows.
Variant 2 — Friend account-takeover: “Help me with this Instagram verification”
How it presents: A DM arrives from a real friend’s account (their account has been compromised by the same scam). The friend says: “Hi! Can you do me a favour — I’m trying to verify my Instagram account and you’re my trusted contact. I need you to tell me the code Instagram sends to your phone.” Or: “Can you vote for me in this competition? Click this link.”
Red flags:
Instagram’s “trusted contact” recovery does not work this way. Real account recovery via trusted contacts uses Instagram’s own in-app flow that displays the request inside YOUR Instagram app, never via text-message codes sent to your phone for someone else.
The code is actually being sent to your phone to take over YOUR Instagram account. Instagram is sending the code because the scammer is trying to reset your password using your phone number. The instant you forward the code, they take over your account.
The friend message style is slightly off. The scammer doesn’t know your friend personally. Phrasing, capitalisation, emoji use, slang — subtle differences from the real friend.
If the message has urgency / emotional appeal: “I really need this”, “please, you’re the only one I trust”, “before midnight or I lose the account”. Real friends rarely speak in these terms; scammers always do.
Verification rule: call the friend on their saved phone number before doing anything. The compromised account can’t intercept a voice call. Real friends will pick up; real scammers won’t.
Variant 3 — Crypto / investment-pivot from a new follower
How it presents: A new account follows you. The profile is glamorous — wealth signals, exotic locations, expensive watches, sometimes AI-generated headshots. They DM with a friendly opener (compliment on a recent post, shared interest), build rapport over days, then mention their “crypto trading platform” that’s been generating consistent returns. They offer to introduce you to a “trusted analyst” or share access to their platform.
Red flags:
This is pig-butchering on Instagram. The same playbook as the LinkedIn / dating-app / WhatsApp variants — build relationship, introduce investment platform, milk deposits, block when victim tries to withdraw.
The profile’s wealth signals are theatrical. Posed photos in front of generic luxury settings, AI-generated landscapes, watches and cars without owner’s name visible. Real wealthy individuals post less, not more.
They follow many people, including strangers. Real successful traders don’t spend their time DMing random Instagram users about their trading platform.
Any investment platform mentioned is unregulated. Check the firm name on the FCA Register. Most platforms named in these DMs aren’t there at all, or appear on the FCA Warning List.
Run any investment offer through our Investment Pitch Analyser before sending a penny. The analyser checks 8 scam patterns + free-text scheme detection in under 5 minutes.
The verification rules that defeat Instagram-DM scams
Verify the account. Click into the profile. Is the account verified (blue tick)? When was it created? Does it have established posts and genuine engagement, or recent posts and bought-looking follower counts? A 2-week-old account with a polished bio and 800 followers is almost certainly a scam profile.
Never send Instagram verification codes to anyone, ever. If a friend asks for the code Instagram texted you, it’s not the friend — it’s a scammer using their hacked account. Verify by calling the friend on their saved phone number.
Real brand collaborations don’t charge fees. Any brand asking for a “shipping fee”, “application processing fee”, or “sample tax” is fake. Real partnerships pay you (in product or in cash), not the other way round.
Don’t click external links from DMs you didn’t initiate. Real brand applications stay inside Instagram or go to the brand’s clearly-identifiable own domain. A lookalike domain in a DM is the scam.
For investment offers: run them through the Investment Pitch Analyser before any commitment. The base rate of scam offers via cold Instagram DM is extremely high.
Report scam DMs through Instagram’s in-app report: Tap and hold the message > Report. Reports trigger Instagram’s automated review, which usually suspends scam accounts within 24-72 hours.
If your Instagram account has been hacked
Try to recover the account immediately at www.instagram.com/hacked. Instagram’s self-service recovery covers most cases if the linked email + phone haven’t been changed. If the account is already locked you out, request a recovery code via the original email.
If Instagram’s self-service flow fails: request video-selfie verification through Instagram Help Center. Recovery typically takes 7-14 days. Be persistent — multiple attempts often work where one fails.
Warn your followers and contacts. Post on any other platform you have access to (Facebook, X, LinkedIn, your email contacts) that your Instagram account is compromised and to ignore any DMs from it. Friends are the primary scam target via your hacked account.
Change passwords on any linked accounts. Especially Facebook (often the same login), and any email used for Instagram. Enable 2FA everywhere using an authenticator app rather than SMS.
Once recovered: review your account’s “Login activity” (Settings > Security), sign out all devices, change the password, enable 2FA via authenticator app, and check that the linked email and phone haven’t been altered. Review “Apps and websites” for any unauthorised third-party connections.