Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

The Gap Between Awareness and Resilience

July 8, 2026

Phishing Attacks Targeted Facebook Users With Fake Verification Offer

July 7, 2026

Microsoft Accelerates Post-Quantum Cryptography Shift to 2029

July 7, 2026
Facebook X (Twitter) Instagram
Wednesday, July 8
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Phishing Attacks Targeted Facebook Users With Fake Verification Offer
News

Phishing Attacks Targeted Facebook Users With Fake Verification Offer

Team-CWDBy Team-CWDJuly 7, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cybercriminals abused Facebook Messenger chatbots in a campaign which distributed phishing attacks designed to steal business information and other sensitive data from Meta For Business users.

The campaign, identified by Huntress, found a way to successfully pass security validation checks in many inboxes because the messages looked like they came from a legitimate Facebook Business email account.

The phishing email attempted to lure victims in with an offer of verification to ‘protect’ the account, when the attacker intention was the opposite. The aim was to steal credentials including passwords, multi-factor authentication (MFA) codes, business and personal phone numbers, email addresses, plus images of government ID or passports which belonged to the victim.

The illicit campaign started in or around November 2025 and was running until June 2026, when Meta took action to prevent infrastructure being exploited by the attackers.

As detailed in the Huntress blog post on July 7, the phishing lure claims to offer Facebook Business account users a way to ‘protect their brand’ with a verified badge. While Facebook does offer a real verification service, it is based around a paid subscription, with the process starting inside the Facebook ecosystem, not via an email.

The phishing lure also requests that the user logged in to confirm their identity – on a fake phishing page – including the entry of any MFA tokens in what, for the attackers, is a method of stealing the login credentials.

A Hijacked Chatbot

Further activity was aided with the incorporation of achatbot, which they ran through a fraudulent account on Facebook Messenger named AI Strategic Partner.

Interaction with the bot took the user to a phishing page controlled by the attackers which asked the user to submit additional information to ‘verify’ their account.

This once again asked the victim for their username and password, including another phony MFA check, before asking the victim to verify their identity with a passport, driver’s license, or national ID card.

Uploading a photo of this would provide the attackers with large amounts of personal information which could be exploited for fraud and other scams. By using a stolen username and password to take over a business account, the scammers would have a range of options around fraudulently making money.

“Threat actors can leverage Meta business accounts to spend the victim’s money on malicious or scam advertising, or they can take over the account entirely, changing the recovery methods and password, and leverage the account to transmit more targeted attacks at the business’ customers or social media followers,” said Andrew Brandt, principal threat intelligence incident commander at Huntress.

Meta has taken action to disrupt the activity, but the nature of Facebook accounts, especially business accounts, mean they remain a prime target for phishing attacks.

These messages contained spelling, grammatical and formatting errors uncharacteristic of a large corporation like Facebook. The phishing emails were also offering to provide users with a service for free, when in reality, the verification process is based on a paid transaction with Meta.

“Broken graphics, links that seem unfamiliar, and the unexpected arrival of an email inviting you to an exciting opportunity are all red flags. So if you receive a message like this and it seems not-quite-right, or unexpected, just trash that message. You have more to lose than you think,” said Brandt.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleMicrosoft Accelerates Post-Quantum Cryptography Shift to 2029
Next Article The Gap Between Awareness and Resilience
Team-CWD
  • Website

Related Posts

News

The Gap Between Awareness and Resilience

July 8, 2026
News

Microsoft Accelerates Post-Quantum Cryptography Shift to 2029

July 7, 2026
News

Suspected Chinese Threat Group Targets Universities

July 7, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

How to mitigate the security and privacy risks of smart glasses

May 11, 2026

How to tell if a voice call is AI or not

February 23, 2026

It’s all fun and games until someone gets hacked

September 26, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.