Trustwave SpiderLabs has discovered a new strain of Instagram “Copyright Infringement” phishing emails that aim to steal the victim’s Instagram backup codes by bypassing the two-factor authentication (2FA) offered on the account.

Two-factor authentication is a method of adding additional security that requires two forms of identification to access resources and data when logging into the account.

This extra layer of security is an effective way to protect your account against many security threats that steal personal information, such as phishing, brute-force attacks, credential exploitation, and more.

When configuring two-factor authentication on Instagram, the site also generates eight-digit backup codes for users as an alternative means of accessing the account, in case you are unable to verify your account using 2FA.

In this latest phishing attempt, the email message, which claims to be from Instagram’s parent company, Meta, says that the recipient’s Instagram account has infringed copyrights. It further urges the recipient to file an appeal within 12 hours by clicking the “appeal form” button in the email, or else the account will be permanently deleted.

Clicking on the button takes the recipient to a fake Meta site impersonating Meta’s central portal for violations, where they click the button “Go to Confirmation Form (Confirm My Account),” which then redirects them to the actual phishing website.

The phishing site, which poses as a fake Meta “Appeal Center” portal, is hosted on a newly created domain. Once the user clicks the “CONTINUE” button, the recipients are requested to enter their username and password (twice).

After providing the passwords, the phishing site asks the user if two-factor authentication is enabled on the Instagram account, and, upon confirmation, it requests the 8-digit backup code.

The end result is that the threat actors have obtained all the information needed to log into the victim’s account. This stolen information can be used by cybercriminals and sold underground or used to take over the account.

“To prevent this from happening, do not share passwords or codes, and be cautious about how this data is stored. If compromised, change the password or regenerate new backup codes immediately,” advises Trustwave SpiderLabs in a blog post.