Kaspersky experts have uncovered a new phishing scam targeting businesses that promote their pages on Facebook.
Scammers send emails allegedly on behalf of Meta for Business – Facebook’s platform for businesses – claiming the recipient’s page contains prohibited content.
The email suggests users provide explanations in order for their account and page to be unblocked. The goal of the attackers is likely to get access to users’ business accounts.
Kaspersky’s anonymised data shows that such emails started reaching users on 14 December 2024, with complaints coming from organisations all over the world, including the Middle East, Turkiye and Africa. By examining the “From” field in the email it can be seen that the domain does not belong to Facebook. According to Kaspersky data the emails that this campaign used were sent from different domains.
The link in the email redirects users to Facebook Messenger. On Messenger, the account posing as Facebook’s support team appears legitimate, creating a false sense of trust. There is an indication that this is a fan page, but it is easy to miss in a situation of high stress after being accused of spreading illegitimate content.
This scheme stands out for its sophistication. Unlike earlier scams that accused users of copyright violations and directed them to respond via email, this approach simulates internal communication on the Facebook platform itself.
“In 2025, we anticipate a rise in attacks leveraging social engineering and user trust in major platforms,” comments Andrey Kovtun, email threats protection group manager at Kaspersky. “Scams like this are becoming more sophisticated as attackers strive to mimic official services closely. Users must remain vigilant, verify the authenticity of messages, and avoid clicking on suspicious links.
“We strongly advise users not to engage with suspicious accounts and to activate additional security measures, such as two-factor authentication. If you receive such an email, report the incident to Facebook’s support team and update your passwords immediately if any information has been compromised.”