Don’t Believe This Fake Email About Your Instagram Account
Social media is also a frequent target for scammers, who use it for everything from impersonating banks and providing fake investment advice to spreading malware via AI-generated videos. There is currently a phishing campaign going on on Instagram that targets Instagram users via phishing emails, but with a twist.
How mailto: Instagram scam works
Malwarebytes Labs has identified a phishing scam that starts with an email purporting to be from Instagram, asking the user to verify their identity because someone has just tried to log into their account. The text contains a verification code and a link to “report this user to protect your account,” as well as a link to delete the email address.
These campaigns often redirect users to a phishing site where they are prompted to enter their login credentials or other personal information. In some cases, the fake sites use tech support chatbots or step-by-step instructions on how to “fix” the problem. Regardless of the tactics, the attackers are trying to get enough information to steal your identity, money, or both by playing on your fear and desire to urgently protect your account.
What makes this Instagram scam different is what happens when you click on the links in the email. Instead of a scam website, the text is a mailto: link that opens your device’s default email program with the recipient and subject fields pre-filled, such as “Report this user to protect your account” or “Remove your email address from this account.”
The email addresses in the recipient lines look relatively trustworthy, though none of them lead to Instagram, which is to be expected, thanks to a tactic known as typosquatting . However, they eventually connect to the attackers’ servers, and clicking “Send” on your end confirms that your email address is active and ready for further attack.
Mailto Phishing: is a longer game: Scammers don’t collect your personal information right away, but they can use communication to gain trust, since sending an email may seem less risky or obvious to victims than clicking a link to an unfamiliar website and entering information there. Mailto links: can bypass email filters more easily than links to malicious domains, and attackers don’t have to create and maintain multiple sites that might be blocked.
How to avoid mailto phishing attacks:
As with any scam, be wary of messages that seem urgent and require immediate action, especially those related to account security. Companies do not ask for your login credentials, bank details, or other sensitive information via email, chat, or social media messages. Always open the company’s app or website to find contact information, rather than contacting the person who contacts you first.
As a general rule, you should avoid clicking on links in such messages. Always hover over the link to see its purpose – mailto: links are no more legitimate than links to phishing sites.