Can You Get Hacked Through an Instagram DM in 2025?

Your phone buzzes with a new Instagram DM. Maybe it’s a friend sharing a funny meme, or perhaps it’s someone claiming there’s been “unusual activity” on your account. But here’s the question that’s been keeping many users up at night: can you actually get hacked through an Instagram DM?

The short answer is yes—but not in the way you might think.

While simply reading a DM won’t instantly compromise your device, Instagram messages have become a popular delivery method for cybercriminals looking to trick you into handing over your credentials, installing malicious apps, or falling for elaborate scams.

With Instagram boasting nearly 2 billion monthly active users, it’s no wonder hackers see the platform as prime hunting ground.

In 2024 alone, the FTC reported that Americans lost $470 million to text and social media scams—many of which started with an innocent-looking direct message.

What Does “Getting Hacked Through a DM” Actually Mean?

When we talk about getting “hacked” through an Instagram DM, we’re really talking about three different outcomes:

🔓 Account Takeover

This is when scammers trick you into entering your Instagram login details on a fake website. Once they have your credentials, they lock you out of your account and use it to message your followers with the same scam.

📱 Device Compromise

This happens when a DM link leads you to download malicious software—usually an app from outside the official app stores—that can spy on your device or steal personal information.

🪪 Financial or Identity Fraud

Cybercriminals use DMs to lure you into fake investment schemes, job offers, or giveaways designed to steal your money or personal details.

How Instagram DMs Really Get You Hacked

The Phishing Link Trap

The most common Instagram DM scams involve links to fake websites that look remarkably similar to the real Instagram login page. Here are the classics:

• “Your account will be deleted in 24 hours”
• “Copyright violation—appeal now”
• “Verify your blue checkmark”
• “Is this you in the video?”

These messages create urgency and panic, pushing you to click without thinking. Even if they come from someone you know, be suspicious—their account may have been compromised and is now spreading the scam to their contacts.

Fig 1. Two example Instagram DM scams

The “Brand Collaboration” Scam

Another popular tactic targets content creators with fake sponsorship offers. The scammer poses as a brand representative and asks you to download a “partner app” or fill out forms that harvest your login credentials.

These fake “partner apps” can be particularly dangerous because they often contain spyware, keyloggers, or other malware designed to steal your personal information, monitor your activity, or gain access to your accounts.

The Fake Support Chat

More sophisticated scammers now impersonate Instagram or Meta support staff, claiming they need to “verify” your account or help with a security issue. They may even walk you through adding them to your two-factor authentication methods, giving them complete control over your account.

QR Code Phishing (Quishing)

A newer trend involves sending QR codes embedded in images through DMs or Stories. When scanned, these codes can redirect you to phishing websites or trigger malicious downloads.

Fig 2. An example Quishing scam.

Instagram’s Built-In Protection (And Its Limits)

Instagram does have some safeguards in place:

• Link warnings: External links often route through l.instagram.com, which can check destinations against blocklists and warn users about suspicious sites.
• “Emails from Instagram” feature: A section in your settings that displays all legitimate emails Instagram has sent you in the last 14 days.
• DM controls: You can restrict messages from unknown accounts and filter spam.
• Security checkup: Helps compromised users secure their accounts.

However, these protections aren’t foolproof. The l.instagram.com link checker, for example, is helpful but doesn’t guarantee safety—scammers constantly create new domains that haven’t been blocked yet.

Is Simply Opening a DM Dangerous?

In most cases, no. Reading a text-only DM won’t compromise your device. The danger comes when you:

• Click on suspicious links
• Enter your credentials on fake websites
• Download and install apps from outside official stores
• Share personal information with strangers

However, there have been instances where malicious media files could exploit vulnerabilities in Instagram’s processing systems.

In 2020, security researchers found a bug that allowed hackers to execute code on devices simply by sending a specially crafted image. While this was quickly patched, it shows that in rare cases, zero-click exploits can affect Instagram.

iPhone vs. Android: Different Risk Levels

Not all smartphones face the same level of risk when it comes to Instagram DM scams. Your device’s operating system plays a crucial role in determining how vulnerable you are to certain types of attacks.

While both iPhone and Android users can fall victim to phishing scams and account takeovers, the technical risks differ significantly due to how each platform handles app installation and system security.

Android Risks

Android users should be particularly cautious of:

• Malicious APK files: Scammers often trick users into downloading apps from outside the Google Play Store, which can contain spyware, keyloggers, or other malware.
• Fake app permissions: Malicious apps may request excessive permissions to access your contacts, messages, camera, or location data
• System-level access: Android’s more open architecture can be exploited by sophisticated malware to gain deeper device control.

iPhone Risks

iPhone users face different but still serious threats:

• Malicious configuration profiles: Scammers may trick you into installing profiles that can monitor your activity, redirect traffic, or allow malicious app installation.
• Apple ID phishing: Targeted attempts to steal your Apple ID credentials through fake login pages or support impersonation.
• Alternative app stores (EU): With new EU regulations allowing alternative app distribution, iPhone users in Europe face similar sideloading risks as Android users.

What to Do If You Clicked a Suspicious DM Link

It depends what you did after clicking—but don’t panic. The steps you need to take vary based on whether you just visited a website, entered your login details, or actually downloaded something to your device. Here’s your action plan:

🔑 If you entered login credentials anywhere:

1. Start recovery immediately: Go to instagram.com/hacked and follow the prompts (you don’t need to be logged in).
2. Change your password: Use a strong, unique password you’ve never used before
3. Enable two-factor authentication: Use an authenticator app rather than SMS codes when possible.
4. Check active sessions: Review “Where you’re logged in” and sign out any unknown sessions.
5. Review connected apps: Remove any apps or services you don’t recognize from your account.
6. Alert your followers: Post a Story warning that previous DMs may have been from a scammer.

⬇️ If you downloaded or installed anything:

1. Uninstall immediately: Remove any apps you downloaded through DM links.
2. Run a security scan: Use reputable mobile security software to check for threats.
3. Update your device: Install the latest operating system updates.
4. Check app permissions: Review what permissions suspicious apps may have had.
5. Consider a factory reset: If problems persist, this last-resort option removes all threats.

📣 Report the scam:

Don’t forget to report the scam to help protect others. Start by reporting the message and account directly through Instagram’s app.

If you’re in the US, you can also file a report with the FTC at ReportFraud.ftc.gov. UK users should forward suspicious emails to report@phishing.gov.uk or report any financial losses to Action Fraud.

How to Make Your Instagram DMs Safer

The good news is that you don’t have to be a cybersecurity expert to protect yourself from Instagram DM scams. With a few simple settings changes and smart habits, you can dramatically reduce your risk of falling victim to these attacks.

1. Tighten Your DM Settings

Instagram gives you several options to control who can message you:

1. Tap your profile picture in the bottom right.
2. Tap the menu icon at the top right.
3. Go to Messages and story replies.
4. Tap Message requests and choose No one under “Who can send you message requests”. People that you follow or have chatted with before can still send you messages.
5. On the same page, choose People that you follow under “Who can send you group message requests”.
6. On the same page, toggle on Hide unwanted message requests, to automatically block messages that may be spam or scams.
7. Next, go back and tap Story replies and select Only allow story replies from people that you follow or Don’t allow story replies.

Fig 3. Tightening Instagram security settings.

2. Enable Strong Authentication

• Use two-factor authentication with an authenticator app (not SMS).
• Store backup codes in a safe place offline.
• Use a unique, strong password for your Instagram account.
• Review login activity regularly.

3. Stay Updated and Vigilant

• Keep the Instagram app and your operating system updated.
• Never install apps from outside official stores.
• Don’t scan QR codes from unknown sources.
• Remember: Instagram will never DM you about account issues.

4. Know where to find official Instagram emails

Instagram keeps a copy of all official emails sent to you in the last 14 days directly in the app. Anything claiming to be from Instagram that’s not listed here is a scam. Here’s how to view:

1. Tap your profile picture in the bottom right.
2. Tap the menu icon at the top right.
3. Tap Accounts Centre, then tap Password and security.
4. Tap Recent emails, then tap your Instagram account for which you’d like to see recent emails.

Fig 4. Finding Instagram emails.

Wrapping Up

The reality is that Instagram DMs can be a gateway to account compromise and even device infection—but only if you interact with malicious content. While it’s highly unlikely that simply reading a message will harm you, clicking links, entering credentials, or downloading apps absolutely can.

Your best defense is understanding how these scams work and remembering Instagram’s golden rule: they will never DM you about account security. When in doubt, go directly to Instagram’s official website or app to verify any concerns about your account.

If you’re still worried about your digital security, running a quick scan with Certo AntiSpy can give you peace of mind and help detect any threats that may have slipped through.

Frequently Asked Questions (FAQs)

Can I get a virus just by opening an Instagram DM?

Generally, no. Simply reading a text-only DM won’t infect your device with malware. However, there have been rare cases where malicious images or files could exploit vulnerabilities in Instagram’s processing systems. Keeping your app updated reduces this risk significantly.

How can I tell if an Instagram DM is legitimate?

Look for red flags like urgent language, requests for personal information, or links to external websites. Remember that Instagram will never contact you through DMs about account issues—they only send official communications through “Emails from Instagram” in your settings.

Are Instagram-wrapped links (l.instagram.com) safe?

Not necessarily. While Instagram uses l.instagram.com as a protective wrapper that can warn you about dangerous sites, it’s not foolproof. Scammers constantly create new domains that haven’t been blocked yet, so always be cautious with any external links.

What should I do if my friend’s Instagram account is sending me suspicious DMs?

Don’t click any links, even if they appear to come from someone you trust. Their account may have been compromised. Instead, contact your friend through a different platform to let them know their Instagram may be hacked.

Can Instagram DMs lead to phone hacking on iPhones?

While less common than on Android devices, it’s possible. Scammers might try to trick you into installing malicious configuration profiles or entering your Apple ID credentials on fake websites. iOS users should be particularly wary of any requests to install profiles or apps outside the App Store.