Instagram users had a scare over the weekend after many users were sent mysterious password reset emails that seemed to come directly from Instagram. Some users thought this might be a phishing email, but as Mashable reported earlier today, many of the emails are legitimate.
Instagram said in a weekend statement that it had fixed a bug that allowed an external party to trigger unnecessary password reset emails. The good news: no one’s accounts were actually impacted. The social media giant urged people to simply delete the emails and move on.
Still, we thought we’d take a close look at the email that was sent to people to see if we could identify any red flags. Phishing emails can almost always be identified with a little patience and know-how, so we put that knowledge to the test to see if there was anything wrong with the email itself. If what Instagram said is accurate (spoiler: it was accurate), then we shouldn’t spot anything untoward.
In any case, here is one of the emails in question, received by a Mashable editor on Saturday, Jan. 10, with the account information blurred out for privacy reasons.
Credit: Mashable
Okay, so let’s go through a checklist of the most common ways to spot a phishing email and see how this one holds up.
First, a phishing email will usually come from an unknown email with no ties to the real company. In this case, the email is from security@mail.instagram.com, which is a real Instagram email address. Please note that scammers will often try to dupe legit email addresses by using variations and alternative domains, such as “instagram.password.net”.
Next, I check the footer, which also looks clean. I actually signed out of my own Instagram account and had a password reset link sent to me, and I can verify that the footer is exactly identical to the one in the above email. So, we’re off to a great start.
Phishing emails can often look legitimate, though, so the next step is to see where this email sends you if you were to click the link. However, instead of clicking the link, hover your mouse over the link to see the URL destination. In this case, hovering over the “Reset password” button does, in fact, show a real Instagram link, as seen in the screenshot below.
Credit: Mashable
Remember: You should check every link in an email from an uknown sender before clicking. So, I checked the “let us know” link, which also shows an official Instagram URL.
Many phishing emails also contain spelling or grammar errors. However, after a close reading of the email, there aren’t any red flags, and all of the logos are correct.
The only other thing I could think to check was if this was a user-generated password reset request. So, as I said earlier, I signed out and had one sent to me, and I confirmed the emails are identical.
There is one more step you can take to verify if the email is legitimate, but it actually doesn’t work in this particular case.
In your Instagram account settings (go to your account settings, then click “Accounts Center,” then “Password and security,” then “Recent emails”). Normally, this section would show all recent emails from Instagram. However, for unknown reasons, the weekend’s mysterious password reset emails do not show up, even though they appear to be legitimate.
This discrepancy is one reason the emails seemed so suspicious at first, and why some experts determined they were phishing emails.
When you receive a suspicious email, never click the links.
In this case, the best thing you can do is simply ignore the email entirely.
Is the Instagram email a scam?
Kind of, just not in the way you would think. The emails were sent, albeit indirectly, by a third party. However, the email our editor received was real and sent by Instagram. Clicking the links and buttons would not harm the recipient, and the worst thing that could happen is that you’d wind up with a new password.
However, if you did open this mysterious Instagram email, click the link, and change your password without verifying its authenticity, you got lucky this time.
We recommend checking out this guide on identifying phishing scams, just in case.
