Instagram users are targeted by cyber attackers on a regular basis. In a recent scam, they are using phishing in order to get to higher profile “Instastars,” then locking them out of their accounts using ransomware. And you may think it’s some complicated trick that lets these criminals into these accounts, but in reality, it’s a very simple plan.

Researchers at the cybersecurity and antivirus company Avast, found the targets to be primarily well-established Instagram users with thousands or even hundreds of thousands of followers. Often they are the ones with the blue checkmarks – which denotes a verified user. They send a phishing message purporting to be from a potentially lucrative business partner. If a URL in the message is clicked, users are asked to enter Instagram login credentials. It’s really that simple. Once these are gained, the attackers simply change the passwords, lock the users out of their accounts, and demand a modest $100 to let them back in.

Unfortunately, this works all too well. Avast researchers found that most people actually pay the $100. After all, it’s really not that much to get your popular social media account back, right? However, to their surprise, the users were not actually let back in to their accounts.

You are the best defense against these types of attacks. Just because some random “person” in an email claims to be a potential business partner, doesn’t make it true. If you are not expecting to receive a link or attachment, don’t click on it. That’s the best advice anyone can give.

In addition, keep antivirus on all of your devices and always keep them updated. It’s easiest to just turn on the auto-update feature. Then you can count on the most recent anti-virus files to be loaded. It’s really peace of mind. There are many options available and some of the good ones are even free. Do your research, though and make sure it’s a legitimate product before installing it.

You should also enable the two-factor authentication on your social media accounts. Nearly all of the popular ones have this available these days. This will require anyone logging into your account on a new device to enter a secondary credential in order to access your account. It could be a one-time code that is sent via text or it could be a randomly generated number on a key fob. Multi-factor authentication (MFA) such as this should also always be enabled on your financial accounts.

Make sure your passwords are strong. They should be at least eight characters, have upper and lowercase letters, not be dictionary words, not be easy to guess, and should include special characters and numbers too.

Several Instagram attacks have been seen recently, including one in August that caused large-scale login issues for users. Unfortunately celebrities are often targeted. In 2017, Selena Gomez’s Instagram was violated when a vulnerability was found in the software. Also in late 2017, Instagram developers fixed an issue that had already allowed thieves to steal phone numbers and email addresses of users, but not before the information made its way to the public. Victims in that case included Miley Cyrus, Emma Watson, Beyoncé, and Leonardo DiCaprio.