Social media is both a frequent vehicle and target for scammers, who use it for everything from impersonating banks offering fake investment advice to spreading malware through AI-generated videos. A campaign currently circulating targets Instagram users via phishing emails—with a twist.
How the mailto: Instagram scam works
Malwarebytes Labs has identified a phishing scheme that begins with an email appearing to be from Instagram asking users to confirm their identity because someone has just tried to log into their account. The text includes a verification code and a link to “report this user to secure your account” as well as remove your email address.
Campaigns like this often send users to a phishing website, where they are prompted to enter their credentials or other personal identifying information. In some cases, the fake sites have tech support chatbots or list step-by-step instructions to “fix” an issue. No matter the tactic, threat actors are trying to obtain enough information to steal your identity, your money, or both by capitalizing on your fear and sense of urgency to secure your account.
What’s different about this Instagram scam is what happens when you click the links in the email. Instead of a fraudulent website, the text is a mailto: link, which opens the default email program on your device with a pre-filled recipient and subject line like “Report this user to secure your account” or “Remove your email address from this account.”
The email addresses in the recipient lines appear relatively trustworthy—though none direct back to Instagram, which is what you’d expect—thanks to a tactic known as typosquatting. Ultimately, though, they connect back to servers run by threat actors, and hitting “send” on your end validates that your email address is active and ripe for further targeting.
Mailto: phishing is more of a long game: scammers don’t collect your personal information right away, but they can use the conversation to build trust, as sending an email may seem less risky or obvious to victims than clicking a link to an unfamiliar website and entering information there. Mailto: links may evade email filters more easily than links to malicious domains, and threat actors don’t have to set up and maintain multiple sites that may be shut down.
How to avoid mailto: phishing scams
As with all scams, you should be wary of messages that seem urgent and prompt you to take immediate action, especially related to account security. Companies will not request your credentials, bank details, or other sensitive information via communication channels like email, chat, or social media message. Always go directly to the company’s app or website to find contact information rather than engaging with someone who contacted you first.
You should generally avoid clicking links in these messages. Always hover over the link to see the destination—mailto: links are no more legitimate than those to phishing sites.
