TL;DR
This new phishing campaign hides behind Facebook’s own business notification emails, using real Meta infrastructure to trick businesses into giving up their login credentials.
Based on our own emails and submissions from InboxSpotter, we’ve identified a new phishing campaign that abuses real Facebook infrastructure to target businesses and people with Facebook business profiles.
The attackers are disguising phishing links inside legitimate Facebook business notifications, making the messages appear safe and trusted. In some cases, they even entice users by offering free advertising credit to get them to click.
How the scam works
- •Attackers create fake Facebook business profiles and set their business portfolio name to a phishing website URL.
- •When Facebook sends legitimate notification emails about these profiles, the phishing URL appears as a clickable link in the email.
- •Clicking the link takes users to a very realistic Meta login page with animations and design elements identical to the real thing.
- •Once on the site, users are asked to “confirm their password”, leading to credential theft
Email sent from the real Facebook
Since the invite email is sent from Facebook’s own system, it makes it much more trusted.
The Phishing Website
The website copies Meta’s branding and interface and has a very fancy loading screen.
After filling out the form they ask you to confirm your password and that is how they steal it.
What this means
This one’s tricky because it uses Facebook’s own trusted email system, making it look completely legitimate. If you manage a Facebook Page or business profile always double-check new invites.
We’ve already added this campaign to the Scam Archive so others can learn from it and report similar cases.
If something feels off, forward it to check@inboxspotter.com and we’ll take a look.
Stay Protected
Use our free tools to protect yourself from the threats discussed in this investigation.