Cybersecurity researchers are warning Instagram users about a new phishing campaign that uses fake login alerts to trick people into handing over their account details.
According to Malwarebytes, attackers are sending emails that closely resemble Meta’s official notifications for unfamiliar logins. The messages are designed to trigger concern and prompt quick action, especially if you haven’t signed in recently. Each email includes a six-digit verification code and links claiming to let you “report the issue” or “remove your email address from the account.”
Unlike many phishing attempts, these links do not take you to a counterfeit login page. Instead, they open your default email application with a pre-filled message, subject line, and recipient address. By sending the email, you confirm to the attackers that your address is valid. From there, scammers attempt to draw you into a back-and-forth exchange, often asking for sensitive account information under the pretext of resolving the supposed security issue.
The scheme relies on “typosquatting” — registering email domains that closely resemble legitimate ones, but with small changes such as altered extensions or added country codes. For example, a legitimate domain like vacasa.com could be spoofed as vacasa.uk.com. These subtle differences can bypass automated spam filters and avoid triggering suspicion, especially since there’s no suspicious-looking login page involved.
This method has a few advantages for the attackers: it’s faster to set up than creating a fake website, it avoids some URL-based security checks, and many users may feel more comfortable replying to an email than clicking a link.
Security experts advise that the safest way to verify any login alert is within the Instagram app itself. Go to Settings > Accounts Center > Password and Security > Where You’re Logged In to check recent activity. If you don’t see any unfamiliar devices there, the email you received is likely fraudulent.
If you receive one of these phishing emails, do not reply, click links, or send any information. Report the message to your email provider or directly to Meta, then delete it. Even if you’ve already responded, remember that no legitimate company will ever ask for your Instagram password via email. Staying vigilant and verifying alerts within the app remains the most effective way to protect your account from this type of scam.
