Facebook Users Targeted by Phishing Campaign Using Fake Verification Offers
A sophisticated phishing campaign has been impersonating Facebook Business account verification to steal user credentials, MFA codes, and sensitive personal documents.

Cybercriminals have been actively exploiting Facebook Messenger chatbots to distribute phishing attacks aimed at stealing sensitive data from Meta For Business users. The campaign, identified by Huntress, successfully bypassed many inbox security checks by mimicking legitimate Facebook Business email accounts, making the malicious messages appear trustworthy.
The phishing lure presented users with a fake offer of account verification, ostensibly to 'protect' their brand. However, the attackers' true intention was to harvest credentials, including passwords and multi-factor authentication (MFA) codes, along with business and personal phone numbers, email addresses, and even images of government IDs or passports. This campaign was active from approximately November 2025 until June 2026, when Meta intervened to disrupt the exploited infrastructure.
According to a Huntress blog post detailing the operation, the phishing messages claimed to offer a 'verified badge' to Facebook Business account holders as a means to 'protect their brand.' While Facebook does offer a legitimate verification service, it is a paid subscription initiated within the Facebook platform itself, not through unsolicited emails.
The attackers further enticed victims by directing them to a fake phishing page, disguised as a legitimate login portal, where they were prompted to enter their credentials and any MFA tokens. This allowed the threat actors to capture the sensitive login information.
Adding to the campaign's sophistication, the threat actors utilized a compromised chatbot on Facebook Messenger, operating under the guise of 'AI Strategic Partner.' Interacting with this bot would redirect users to the attacker-controlled phishing page, which then requested additional information under the pretense of account verification.
Beyond credentials, the fake verification process demanded users upload photos of their passports, driver's licenses, or national ID cards. This provided attackers with a wealth of personal information that could be leveraged for identity theft, fraud, and other malicious activities. Once a business account was compromised, threat actors could misuse it for fraudulent advertising or to launch further targeted attacks against the business's customers and followers.
Meta has since taken steps to dismantle the operation, but the inherent attractiveness of Facebook business accounts makes them a persistent target for phishing schemes. Analysts noted that the phishing emails often contained noticeable spelling, grammatical, and formatting errors inconsistent with communications from a large corporation like Meta. Additionally, the offer of a free verification service, when the genuine process involves a paid transaction, served as another red flag.
Security experts advise users to be vigilant, looking out for common phishing indicators such as broken graphics, unfamiliar links, and unexpected email invitations. They emphasize that ignoring suspicious messages and deleting them is crucial, as the potential loss of sensitive data and account compromise far outweighs any perceived opportunity.