Watch out: Instagram users targeted in novel phishing campaign

Watch out: Instagram users targeted in novel phishing campaign

A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites.

The email looked like this, which is very similar to the one Instagram sends if it wants you to confirm your identity:

Watch out: Instagram users targeted in novel phishing campaign 2

“Hi {name}
Someone tried to log in to your Instagram account.
If this was you, please use the following code to confirm your identity:
231342
If this wasn’t you, please [Report this user] to secure your account.”

Instead of linking to a phishing website, which is most common with emails like this, both the “Report this user” and “Remove your email address” links are mailto: links. Clicking on a mailto: link opens your default email program with a pre-addressed message with the subject line “Report this user to secure your account” or “Remove your email address from this account” for the second link.

The email addresses in these links all had unsuspicious looking domains, made to look similar to legitimate ones. We call this technique of registering domain names “typosquatting.”

In the case we researched the email addresses were:

  • prestige@vacasa[.]uk.com (typosquat of vacasa.com vacation rentals)
  • ministry@syntec[.]uk.com (typosquat of syntechnologies.co.uk hardware provider)
  • technique@pdftools[.]com.de (typosquat of pdf-tools.com software provider)
  • service@boss[.]eu.com (several possibilities)
  • threaten@famy[.]in.net (science news site, possibly compromised)
  • difficulty@blackdiamond[.]com.se (known malicious domain)
  • anticipation@salomonshoes[.]us.com (typosquat of salomon.com running shoes)

We sent an email to these addresses from a dummy account to see what happened. Unfortunately, most of them were dead in the water when our email reached them. However, we did find that a lot of the servers were hosted at the same IP address.

Research of the IP address showed that there were many more domains set up, likely with the same objective in mind.

Many email filters look for links to malicious domains and new ones get added fairly quickly, so the domains and emails are only useful for one day (on average). Using mailto: links can therefore help attackers avoid automated flagging or URL reputation checks.

It also saves the cybercriminals work. They don’t need to set up a fake website, which in this case would be an Instagram clone, or all the back end infrastructure needed to harvest the credentials. All they need to do now is watch the email inbox and wait for victims.

Receiving an email validates that the email address the phishing mail was sent to is active and someone is using it. That opens the victim up for further attempts. By engaging in a conversation, attackers can directly request sensitive information in a less obvious way than with a phishing form, often through continued correspondence.

Victims may feel safer replying to an email than clicking on a suspicious link. The fear of instant repercussions is smaller when you’re sending an email than for visiting an unknown website.

Instagram phishing

In March, 2025, security awareness provider Phishing Tackle reported about a phishing campaign targeting Meta users, which aimed to steal access to Instagram business accounts. The scam used step-by-step instructions and fake chat support to trick users.

In that case, the scammers threatened users with a suspension of the account due to advertising violations, but it showed once more that influential Instagram accounts are an attractive target for phishers. They can use compromised accounts for other campaigns or sell the harvested credentials to other cybercriminals.

But even if you’re not a business or bedecked with followers, if someone compromises your Instagram account they can lock you out and then demand money to give you back the account. Sadly, many people feel forced to pay because they don’t want to lose years of photos and their associated memories.

How to avoid Instagram phishing

Since we can expect to see more phishing campaigns that use mailto: links, here are some tips to avoid falling victim to such a scam.

  • As with regular links, scrutinize the destination of an email link. Even if the domain looks legitimate, your Instagram account isn’t secured by a shoe maker or vacation provider, or someone using a gmail address. The email address should be one that belongs to Instagram or Meta.
  • Remember that legitimate companies will not ask you to mail them your account details, credentials, or other sensitive information.
  • If there’s an urgency to respond to an email, take a pause before you do. This is a classic scammer trick to get you to act before you can think.
  • Don’t reply if the warning looks suspicious in any way. Sending an email will tell the phishers that your email address is active, and it will be targeted even more.
  • Do an online search about the email you received, in case others are posting about similar scams.
  • Use Malwarebytes Scam Guard to assess the message. It will tell you whether it’s a scam or give you tips how you can find out if it isn’t sure.

Source link