'A hacker scammed my friends on Instagram with fake Oasis tickets'

Jonny, an Instagram user, told Which? of his panic after being locked out of his account by hackers while they conducted a ticketing scam targeting his friends and followers.

Sadly, Jonny's story isn't unique. It comes amid a surge in ticketing fraud after a year of high-profile and sold-out events, which prompted a warning from the Home Office in June to be cautious when searching for last-minute tickets.

Last year, at least £1.6m was lost to ticket fraud. Action Fraud received 3,700 reports of gig ticket fraud during the same period, and almost half of them referred to offers made on social media platforms. 

Oasis fans have been particularly badly affected: TSB found that they lost more than twice as much (107%) to scammers as fans of Taylor Swift. 

Here, we look at Jonny's experience of recovering a hacked account and explain how to secure your social media account.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts

'I felt ignored by Instagram'

In September, Jonny's Instagram account was hacked. He found himself unable to get back in, as the cybercriminals now running the account had changed his login details.

Shortly after this, a scam post was published on his profile selling tickets to the Oasis tour. 

Jonny's friends began sending him screenshots of conversations they’d had with whoever was controlling his account. He then learnt that at least two people had transferred money to the scammer.

In trying to report it to Instagram, Jonny found its instructions were limited. He was unable to perform Instagram’s selfie verification – one of Instagram's security measures to confirm your true identity – because Instagram didn't send him an information email on how to do it, despite him requesting one. 

Jonny contacted several publications for help, including Which?, and also messaged an employee from Meta (Instagram’s parent company) on LinkedIn. Finally, this distressing situation was brought under control.

Jonny's distress, however, wasn't over, as his account wasn’t restored to its prior state. He had to manually remove the scam post himself and was still able to view angry messages from the scammers’ victims, with some using abusive language. 

• Find out more: how to avoid ticket scams.

Preventing social media hacking

Which? contacted Meta about Jonny's case, and it told us his access had been restored. It noted that he did not have two-factor authentication (2FA) enabled at the time of the hack – something it ‘strongly recommends’, but is not mandatory.

Those who lost money via bank transfer may be able to recover it from their bank under the mandatory reimbursement rules that have been in force for the past year. Unfortunately, the £100 excess that banks are allowed to apply could wipe out a large chunk of any refund due. Not all banks apply the excess, though.

Jonny is now campaigning to raise public awareness of scams, the risk of being hacked and how social media platforms respond. Jonny said: 'I simply want to make others aware of how easy it is to be scammed, yet so difficult to get a response from Instagram when you most need one.' You can find out more about Jonny's campaign here.

Sadly, scammers seek to take over social media accounts to facilitate scams, and they can gain access in many ways. That could be a data breach, malware on your device or even a brute-force attack where hackers guess passwords until eventually one works. 

To prevent your account from being hacked, we recommend that you:

• don't use the same password across different accounts, create secure passwords and use a reputable password manager
• download antivirus software on your devices
• update your devices – updates include protection from viruses
• set up two-factor authentication (2FA) or two-step verification (2SV). This is when you provide a separate form of identification – such as a code sent via text – when you log into an account.