A phishing campaign is currently affecting Instagram users by using a method that avoids the usual indicators most spam filters look for, as spotted by Malwarebytes. Instead of leading victims to fake websites, the attackers rely on email replies to start contact and collect user data.
Fake Alerts Trigger Reply Emails Instead of Web Clicks
The scam email is designed to look like a genuine security alert from Meta. It warns that someone has attempted to log in to the user’s Instagram account. A six-digit code is included in the message, along with two response options. One appears to let the user report the activity, and the other claims to help remove an email address from the account.
Unlike traditional phishing methods, these links do not point to a website. Instead, they are mailto: links. When clicked, they open the user’s email app with a draft message already filled in. The draft is addressed to a domain that closely resembles a legitimate business, and the subject line mirrors the alert shown in the original email.
Fake Domains Use Slight Variations to Look Real
The attackers register domains that closely match trusted company names. This technique, known as typosquatting, changes letters or adds new domain extensions to mislead users. Some addresses used in this campaign included slight changes to known brands in travel, tech, or retail.
Examples of these addresses include:
-
prestige@vacasa.uk.com(imitating a vacation rental brand) -
technique@pdftools.com.de(mimicking a document software provider) -
anticipation@salomonshoes.us.com(referencing a sportswear brand)
Many of these addresses were inactive when tested later, but a shared IP address linked them to a wider network of similar domains.
Scammers Avoid Detection and Save Effort
Phishing campaigns that depend on malicious links are often stopped by automated systems that scan for known bad domains. By using mailto: links instead, the attackers reduce the chances of their messages being flagged or filtered. These links are harder to detect because they do not lead to websites.
This method also saves time. The attackers do not need to design and host fake pages or create login forms. They only need to monitor incoming emails and wait for victims to reply. That response tells them the email address is real and being used.
Email Replies Allow Ongoing Contact
Once contact begins, the attacker may follow up with more messages. These emails can request account credentials or other sensitive information under the claim of helping the user secure their profile. The victim, already engaged in conversation, may feel less threatened replying to email than clicking unknown links.
This technique allows the attacker to build trust while collecting personal data. Because the communication happens directly, it is more difficult for external systems to detect or block it.
Compromised Accounts May Be Held for Ransom
Instagram profiles can be valuable, even when they do not belong to businesses or influencers. Stolen accounts are sometimes sold, reused in other attacks, or locked until the owner pays to regain access. Some users feel forced to comply to avoid losing years of content.
Check Activity in the App Before Taking Action
If users receive emails that claim to be login alerts, they should avoid responding directly. Instead, it is safer to check for security notifications within the Instagram app. The “Where you’re logged in” section under account settings can help identify whether any unfamiliar devices have accessed the account.
If no strange activity appears there, the email was likely a scam. Even if the email looks urgent, replying confirms to the attacker that the address is valid and may lead to future targeting.
Avoid Engaging with Suspicious Emails
To stay protected, users should examine sender addresses carefully. If the message claims to be from Instagram but uses a domain linked to an unrelated company or unknown provider, it should be treated as suspicious. Most legitimate platforms will never ask for sensitive information over email.
Deleting the message without responding is the safest step. Once an attacker knows an address is active, further phishing attempts are likely.
Notes: This post was edited/created using GenAI tools.
Read next: Apple Hits 3 Billion iPhones Sold, While Looking Ahead to an AI-Driven Future