If you manage Facebook advertising for a small or medium-sized business, open your inbox with suspicion, because attackers have been sending highly convincing invites that look like they come straight from Meta.
Researchers at Check Point found that the attackers used Facebook Business pages and the platform’s invitation feature to send messages that arrive from the real @facebookmail.com domain, which makes the emails much harder to spot with automated filters and human instincts alike.
The campaign is large in volume and blunt in scope, with Check Point telemetry showing about 40,000 phishing emails sent to roughly 5,000 customers all over the world, including the United States, Europe, Canada, and Australia.
Most of the messages followed a simple template, using subjects such as Account Verification Required and Meta Agency Partner Invitation to prompt clicks, and each message carried a link that redirected victims to credential harvesting pages hosted on domains like vercel.app.
Attackers began by creating fake business pages, then added logos and page names designed to mimic official branding, and finally used the Business invitation mechanism to dispatch the invites, a sequence Check Point reproduced in a controlled test to confirm the method.
Simply put, this was a brand impersonation campaign using Meta Business Suite’s infrastructure for malicious purposes. The campaign’s targets were mostly companies that rely on Meta for marketing, including automotive, education, real estate, hospitality, and finance, which makes sense because those teams regularly receive legitimate Meta notifications and are more likely to trust them.
One company received over 4,200 messages, while most saw fewer than 300. According to CPR’s blog post, it looked less like a focused attack and more like a mass send aimed at catching as many people as possible.
If you run a Facebook page for business purposes, enable multi-factor authentication for Business Suite accounts, verify any invite through the Business Support Home or Meta help pages before clicking links, and treat any unexpected @facebookmail.com messages as suspect until confirmed through your account settings or Meta support.