Facebook Users Targeted in New Phishing Scam Using Mailto Links

Following a recent phishing campaign aimed at Instagram users, cybercriminals are now targeting Facebook accounts with a similar, deceptive approach — and they’re not using traditional phishing links.

Instead of directing victims to fake login pages, this campaign uses mailto: links. Victims receive emails falsely claiming that their Facebook account has been accessed from a new device. The subject line often reads:
“We’ve Received a request to Reset your password for Facebook Account!”

The message body typically warns:

“A user just logged into your Facebook account from a new device iPhone 14 PRO Max. We are sending you this email to verify it’s really you.”

How the Scam Works

Every clickable element in the email — whether it’s “Report the user”, “Yes, me”, “Unsubscribe”, or even the fake email addresses listed at the bottom — triggers your default email app to draft a message with a pre-set subject line. The idea is to lure victims into engaging directly with the attackers by replying to these emails.

The phishing emails are sent to suspicious or spoofed addresses, many of which were previously used in the Instagram campaign. These include:

  • prestige@vacasa[.]uk.com
  • ministry@syntec[.]uk.com
  • technique@pdftools[.]com.de
  • service@boss[.]eu.com
  • threaten@famy[.]in.net
  • difficulty@blackdiamond[.]com.se
  • anticipation@salomonshoes[.]us.com

Some of these domains are typosquats (intentional misspellings of real companies), while others belong to services that may have been compromised.

What Makes These Domains Suspicious?

The phishing campaign leverages second-level domain extensions like .uk.com, .com.de, .eu.com, .com.se, and .us.com. While technically legitimate, these domain extensions are not official country-level domains and are often abused by threat actors to appear trustworthy or localized.

Their flexibility and global availability make them attractive tools for typosquatting or impersonating real companies.

How to Protect Yourself from Mailto Phishing

With attackers moving toward more deceptive tactics like mailto phishing, users need to remain vigilant. Here are some best practices:

  • Verify the email sender: Emails from Facebook will come from legitimate Meta-owned domains, not from unrelated companies or generic addresses like Gmail.
  • Never share credentials by email: Reputable companies will never ask you to reply with passwords or sensitive account information.
  • Don’t fall for urgency tactics: If the message pressures you to act immediately, pause and investigate.
  • Avoid replying: Responding confirms your email address is active and makes you a bigger target.
  • Search for reported scams: Look up suspicious messages online to see if others have encountered similar ones.
  • Use tools like Malwarebytes Scam Guard: They help assess suspicious emails and offer guidance on whether you’re dealing with a scam.

Source: https://www.malwarebytes.com/blog/news/2025/08/facebook-users-targeted-in-login-phish