Cybercriminals Exploit Facebook Messenger for Phishing Attacks Targeting Businesses
In a disturbing development, cybercriminals have harnessed Facebook Messenger chatbots to launch a coordinated phishing campaign aimed at stealing sensitive data from users of Meta for Business. This malicious strategy has raised alarms within the cybersecurity community as it effectively bypassed certain security validations, leading unsuspecting users to believe that they were engaging with legitimate Facebook communications.
The cybercrime initiative, uncovered by the cybersecurity firm Huntress, noted that the attackers cleverly disguised their communications to mirror those coming from legitimate Facebook Business email accounts. This façade created a veneer of authenticity that many users fell prey to, resulting in multiple cases of compromised business credentials and personal data.
Lure of Verification
The phishing scheme exploited a familiar trope for many – the enticing promise of account verification. Initial research indicates that the campaign began in or around November 2025 and persisted until June 2026, a period during which various users clicked on unsolicited messages that falsely claimed to offer verification services designed to ‘protect’ their accounts. The irony, however, was stark; the attackers’ true objective was to pilfer credentials such as passwords, multi-factor authentication (MFA) codes, business and personal phone numbers, email addresses, and even images of government identification like passports.
As detailed in a blog post by Huntress published on July 7, the phishing messages claimed to provide users with an opportunity to ‘protect their brand’ through a verified badge. While it is true that Facebook does offer a verification service, such services are contingent upon a paid subscription and originate from within the Facebook ecosystem—not through unsolicited emails.
The Phishing Process
Upon receiving these fraudulent emails, victims were directed to a counterfeit webpage that was crafted to resemble a legitimate login portal. Here, they were asked to authenticate their identity by entering their usernames, passwords, and, alarmingly, MFA tokens, all of which were funneled directly to the attackers.
The Role of a Hijacked Chatbot
To further complicate the phishing landscape, the attackers utilized a fraudulent Facebook Messenger account masquerading as “AI Strategic Partner” to accelerate their malicious activities. Interaction with this bot would redirect users to the phony phishing page, where additional personal information was solicited under the guise of ‘verification.’ Once more, victims were prompted to enter their usernames, passwords, and even provide identity validation through the submission of photographs of government-approved identification—such as passport or driver’s licenses.
This insidious approach not only facilitated the theft of login credentials but also put victims at grave risk of identity theft and fraud. In the event that a user’s credentials were compromised, the attackers would gain access to business accounts, potentially unleashing a series of fraud-related activities such as redirecting advertising budgets to malicious campaigns or reconfiguring accounts for further exploitation.
Andrew Brandt, who serves as the principal threat intelligence incident commander at Huntress, underscored the serious ramifications of these attacks. “Threat actors can leverage Meta business accounts to spend the victim’s money on malicious or scam advertising, or they can take over the account entirely, changing the recovery methods and password, leveraging the account to transmit more targeted attacks at the business’ customers or social media followers,” he stated.
Meta’s Response and Ongoing Vulnerabilities
In response to the escalating threat landscape, Meta has taken steps to neutralize the malicious activity associated with this campaign. However, the fundamental nature of Facebook accounts, particularly business accounts, makes them inherently susceptible to phishing attacks. The messages employed by the attackers often contained spelling and grammatical errors, odd formatting, and offered services that were allegedly free when, in fact, legitimate verification procedures would require a transaction with Meta.
Brandt cautioned users to remain vigilant against such attacks. “Broken graphics, links that seem unfamiliar, and the unexpected arrival of an email inviting you to an exciting opportunity are all red flags. If you receive a message like this and it seems not-quite-right, or unexpected, just trash that message. You have more to lose than you think,” he advised.
In summary, this incident serves as a critical reminder of the importance of cybersecurity awareness, particularly for businesses. As cybercriminals continually evolve their tactics, staying informed and cautious when interacting online can be the difference between security and vulnerability.
