Phishing Attacks Targeted Facebook Users With Fake Verification Offer

Written by

Cybercriminals abused Facebook Messenger chatbots in a campaign which distributed phishing attacks designed to steal business information and other sensitive data from Meta For Business users.

The campaign, identified by Huntress, found a way to successfully pass security validation checks in many inboxes because the messages looked like they came from a legitimate Facebook Business email account.

The phishing email attempted to lure victims in with an offer of verification to ‘protect’ the account, when the attacker intention was the opposite. The aim was to steal credentials including passwords, multi-factor authentication (MFA) codes, business and personal phone numbers, email addresses, plus images of government ID or passports which belonged to the victim.

The illicit campaign started in or around November 2025 and was running until June 2026, when Meta took action to prevent infrastructure being exploited by the attackers.

As detailed in the Huntress blog post on July 7, the phishing lure claims to offer Facebook Business account users a way to ‘protect their brand’ with a verified badge. While Facebook does offer a real verification service, it is based around a paid subscription, with the process starting inside the Facebook ecosystem, not via an email.

The phishing lure also requests that the user logged in to confirm their identity – on a fake phishing page - including the entry of any MFA tokens in what, for the attackers, is a method of stealing the login credentials.

A Hijacked Chatbot

Further activity was aided with the incorporation of achatbot, which they ran through a fraudulent account on Facebook Messenger named AI Strategic Partner.

Interaction with the bot took the user to a phishing page controlled by the attackers which asked the user to submit additional information to ‘verify’ their account.

This once again asked the victim for their username and password, including another phony MFA check, before asking the victim to verify their identity with a passport, driver's license, or national ID card.

Uploading a photo of this would provide the attackers with large amounts of personal information which could be exploited for fraud and other scams. By using a stolen username and password to take over a business account, the scammers would have a range of options around fraudulently making money.

“Threat actors can leverage Meta business accounts to spend the victim's money on malicious or scam advertising, or they can take over the account entirely, changing the recovery methods and password, and leverage the account to transmit more targeted attacks at the business' customers or social media followers,” said Andrew Brandt, principal threat intelligence incident commander at Huntress.

Meta has taken action to disrupt the activity, but the nature of Facebook accounts, especially business accounts, mean they remain a prime target for phishing attacks.

These messages contained spelling, grammatical and formatting errors uncharacteristic of a large corporation like Facebook. The phishing emails were also offering to provide users with a service for free, when in reality, the verification process is based on a paid transaction with Meta.

“Broken graphics, links that seem unfamiliar, and the unexpected arrival of an email inviting you to an exciting opportunity are all red flags. So if you receive a message like this and it seems not-quite-right, or unexpected, just trash that message. You have more to lose than you think,” said Brandt.

What’s Hot on Infosecurity Magazine?