Check Point® Software Technologies Ltd. has uncovered a widespread phishing campaign exploiting legitimate features of Meta Business Suite and the trusted domain facebookmail.com to send fraudulent notifications appearing to come directly from Meta. The campaign demonstrates how cybercriminals abuse legitimate communication channels to bypass security systems and exploit trust.
With more than 5.4 billion Facebook users worldwide, the platform remains a critical marketing and communication tool for small and medium-sized enterprises (SMEs). Its global influence and brand recognition make it an ideal target for attackers seeking to exploit trust in official Meta communications.
How the Campaign Works
Attackers created fake Facebook Business pages impersonating Meta officials. Using the platform’s legitimate business invitation function, they sent phishing emails from the real facebookmail.com domain, making them appear authentic and bypassing many automated filters.
These messages reproduced legitimate Meta alerts and contained urgent prompts such as “Action Required: Join the free ad credit program” or “Account verification required.” The emails contained links to fake websites hosted on domains like vercel.app, designed to harvest credentials and confidential information.
Scale and Impact
Check Point’s telemetry data indicates that over 40,000 emails were sent to more than 5,000 organisations across the United States, Europe, Canada, and Australia. The campaign primarily targeted SMEs in sectors such as automotive, education, real estate, hospitality, and finance.
While most victims received fewer than 300 messages, one organisation recorded over 4,000. The uniformity of subject lines and templates suggests a large-scale, automated operation rather than targeted attacks.
Why It’s Especially Dangerous
Unlike typical phishing attempts that spoof domains, this campaign leveraged legitimate Meta infrastructure, significantly increasing credibility and bypassing traditional email defences that rely on sender reputation or domain verification.
- Attackers exploited trust in Meta’s verified communication domain to build credibility.
- Many security systems failed to detect the emails since they originated from a trusted source.
- The incident underscores the need for platforms like Meta to enhance safeguards against abuse of business tools.
“Phishing is evolving, and it’s no longer enough to rely on traditional filters,” said Eusebio Nieva, Technical Director at Check Point Software. “Organisations must adopt a prevention-first approach based on behavioural analysis and contextual intelligence.”
Security Recommendations
- Train employees to verify the legitimacy of Meta communications before clicking links.
- Use advanced email filtering with behavioural and AI-based analysis.
- Enable multi-factor authentication (MFA) to mitigate stolen credentials.
- Access Meta Business accounts directly from official dashboards rather than email links.
The campaign demonstrates how threat actors increasingly use legitimate services to enhance deception and evade detection. SMEs, often with limited security budgets, remain prime targets for these evolving phishing operations.