With email security, it’s a never ending cycle of attacks and counterattacks. Whenever the bad guys come up with some clever new way to scam people, the good guys eventually figure out a way to combat it. If only that were the end of the story.

Unfortunately, it really is a never ending cycle. So, whenever the good guys come up with a counter move, the bad guys immediately jump on it and figure out some way to use that counter move in their next scam. Such is the case with two factor authentication (2FA).

2FA is a way to grant access to a computer system based on two pieces of evidence. One is usually a username/password combo. The other can be any of several things including biometrics, tokens or a secret code texted to a mobile phone. 2FA is meant to make accessing computers safer. So, you knew it would only be a matter of time before the bad guys figured out some way to us 2FA against users.

The latest phishing scam tries to use people’s trust in 2FA against them. According to Sophos Security, there’s a new phishing “attack received this week that was much more believable, this time going for Instagram accounts.”

As I’ve written about previously, Instagram is now more popular than Facebook so naturally it’s being used more frequently by hackers to target users.

According to the website Silicon Angle, “The messages, claiming that someone has tried to log into a user’s Instagram account, are designed to look as close as possible to the official Instagram messages. The use of a fake 2FA at the end of the message implies a certain level of security.”

If that isn’t bad enough, “the use of an HTTPS certificate which delivers a padlock on the scam page is another attempt to draw users in as people have been trained to look for it as a sign of security.”

The hackers’ playbook is almost getting predictable. Find a technology people think makes the web safe and use it against them to win their trust.

Given how clever hackers are at using our trust against us, can you guarantee that you won’t fall for the next phishing scam? Probably not. That’s why you need some help.

Introducing some help: Phish Protection. Phish Protection is a cloud-based email security platform that offers phishing protection to protects your entire company from all advanced phishing threats. Even the really clever ones. Try it free for 30 days.