(Credit: Matthias Balk/picture alliance via Getty Images)
Scammers will stop at nothing to get your info, even playing the long game.
As Malwarebytes reports, cybercriminals are targeting Instagram users by sending fake login alerts. The phishing emails mimic Meta's login alerts for unfamiliar devices, so if you haven’t logged in yourself, you're bound to panic and follow the instructions.
The email contains a six-digit verification code and links that let you report the issue if it wasn't you. As you'd expect, the links aren't legit, but they won't lead you to a fraudulent site. Instead, they trigger your default email app and produce a standard reply with pre-filled recipient addresses and a subject line that says "Report this user to secure your account" or "Remove your email address from this account."
Once you hit send, the attackers will know your email address is legit and make further attempts to scam you. The trick here is to engage you in a conversation and request sensitive information directly. They may, for example, ask for your account or personal details to help resolve your bogus login issue. Before you realize it, key account details might get handed over.
Even if you double-check the email addresses, you might not find anything suspicious. This is because the cybercriminals are using a technique called "typosquatting" to register domains that resemble legitimate ones. All they do is make slight modifications to the domain extensions or add a country code. A typosquat Malwarebytes spotted, for instance, was prestige@vacasa[.]uk.com for vacasa.com vacation rentals.
According to Malwarebytes, attackers use these fake mailto: addresses because they can be created quickly and might escape the email providers' automated flagging or URL reputation checks. Additionally, it saves them the time of creating a fake website, and "victims may feel safer replying to an email than clicking on a suspicious link."
When in doubt, don't click on anything. Report to your email provider (or Meta) and delete. Even if you responded to the email, remember that no legitimate company will ever ask you for your login credentials, so don't engage if you get a response.
The best way to check whether Meta is trying to contact you is via the Instagram app and see if Meta has sent you any alerts. Also, go to Settings > Accounts Center > Password and security > Where you're logged in, where you can see your recent login activity and log out of all devices, if needed. If you don't see a suspicious device here, the login alert you received in your email is likely a hoax.