A newly observed phishing campaign is targeting Instagram users, and it’s using a clever trick to bypass traditional scam filters. If you’ve received an email claiming there was suspicious activity on your Instagram account and urging you to reply, read on. This scam avoids fake websites altogether, making it harder to detect and potentially more dangerous.
How the Instagram scam works
Unlike typical phishing emails that link to bogus websites, this new method uses “mailto:” links—prompting users to send prefilled emails directly to attackers. The email mimics Instagram’s standard login alert format, stating:
“Hi {name}
Someone tried to log in to your Instagram account.
If this was you, please use the following code to confirm your identity:
231342
If this wasn’t you, please [Report this user] to secure your account.”
Clicking the link doesn’t take you to a site—it opens your email program with a message ready to send. This tactic dodges URL-based spam filters and makes the scam seem more trustworthy.
Why it's effective
This scam is effective because it avoids the usual phishing red flags—there’s no suspicious link to click, just a request to send an email. That small change helps it slip past spam filters and lowers the victim’s guard, making the message seem more legitimate and less threatening.
- Harder to detect: Mailto links don’t trigger traditional phishing alarms.
- No fake website needed: Criminals monitor inboxes instead of managing phishing sites.
- Increased engagement: Victims may feel safer replying to an email than clicking a strange link.
- Validates the victim: Sending a reply confirms the email address is active, increasing future targeting risk.
Telltale signs of the scam:
Spotting this phishing scam can be tricky because it closely mimics legitimate Instagram communications. However, there are subtle but important clues that reveal its true intent. Here are the key signs to watch for before you engage with any unexpected account security email.
- Sender addresses use typosquatted domains (e.g.,
salomonshoes[.]us.cominstead ofsalomon.com). - Message tone creates urgency, prompting immediate action.
- Email asks you to report or secure your account by sending an email—a tactic Instagram never uses.
- No legitimate contact with Meta or Instagram domains.
Protecting your brand & followers
While this campaign appears to target general Instagram users, the tactics used—such as impersonating security alerts and creating urgency are just as effective against brands. In fact, the potential payoff is even greater when a high-profile or business account is compromised. That means both users and brands alike are in the firing line, and brand owners need to be especially cautious not to inadvertently hand access to bad actors who could exploit their account, mislead followers, or damage reputation.
Here’s how brand owners can stay protected:
- Enable strong account security: Use two-factor authentication and regularly audit account permissions.
- Educate your social media team: Ensure anyone managing your brand’s account can identify phishing red flags.
- Monitor for social media impersonation: Set up alerts and tools to detect fake or spoofed accounts using your brand.
- Secure your domain portfolio: Prevent typosquatting by registering close variants of your brand name.
- Report suspicious activity promptly: Use Meta’s official channels to report phishing attempts or impersonation.
Being vigilant now can prevent brand damage, data theft, and scams targeting your followers later.
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.
