Researchers recently spotted a sneaky phishing scam that uses a phony two-factor authentication request to trick email recipients into entering their Instagram login credentials.

“Someone tried to log in to your Instagram account. If this wasn’t you, please use the following code to confirm your identity,” according to the fraudulent email, which provides a six-digit code that supposedly must be entered after the prospective victim clicks on a link that leads to what appears to be a login page.

“The use of what looks like a 2FA code is a neat touch: the implication is that you aren’t going to need to use a password, but instead simply to confirm that the email reached you,” explains Sophos senior technologist Paul Ducklin, in an Aug. 23 company blog post. “And two-factor authentication codes kind of ooze cybersecurity – because, well, because 2FA,” he continues.

But if the email recipient clicks the link, he is actually taken to a malicious .CF (Central African Republic) domain that does a convincingly impersonation of a real Instagram log-in screen, replete with a valid HTTPS certificate.

“A phishing campaign that uses fake 2FA response gives the illusion of a secure communication, but in reality, it is the exact opposite. It’s almost like social engineering, in which someone wants to do the right thing, but doesn’t think it all the way through,” said Dan Conrad, field strategist at One Identity, in emailed comments. “Emails coming from an Instagram impostor is just a small indicator of the types of attacks and damage could be possible in the future.”

However, there were still some signs that gave away the Instagram scam. For starters, emails that offer recipients links for logging in to an online service should be treated as a red flag. Recipients can always just go to the service’s website or app to log in, and should use the service’s official procedure for checking past login activity. Furthermore, the .CF domain is unusual – even spells “login” incorrectly – and the phishing email body contains one notable punctuation other (although it is otherwise clean).