Beware of Your Facebook Account: A New Hacking Scam That Doesn’t Ask for Your Password
A new phishing campaign targeting Facebook accounts is spreading globally, according to a report from Bitdefender’s Anti-Spam Lab. Launched via fraudulent emails, the attack has affected multiple countries including the US, UK, Ireland, Germany, France, Italy, Japan, Australia, Romania, and Canada.
Unlike traditional scams, this phishing operation does not request your Facebook username or password. Instead, the emails are primarily aimed at small and medium-sized businesses running ads on Facebook, disguised as official communications from Meta. They warn of alleged violations of brand or advertising policies, using authentic-looking language and Meta-style formatting to create false urgency and legitimacy.
Common Email Subjects:
Please verify whether the name and branding elements displayed meet our current ad policy requirements.
Confirm that your business name and profile visuals are officially approved or licensed.
Your Page’s Visual Language Is Under Formal Review.
Sample Phishing Email Content:
Hi,
We’re reaching out to confirm whether some of the content featured on your page was shared with proper permission. Certain design elements appear similar to those used by registered brands or organizations.
Why we’re contacting you:
Visual assets that look like existing brand materials
Text or layout resembling a known company
Use of icons or style guides commonly associated with official entities
If you’re authorized to use these assets, a quick confirmation will ensure no further issues. If not, adjustments may be required to avoid misunderstandings.
Verify Content
This message was generated in accordance with Meta’s brand policy framework.
The “Verify Content” button in the email redirects to a cloned Meta Privacy Center page, complete with logos, legal disclaimers, and a form titled “Policy Violation Confirmation.” The form warns: “Failure to respond promptly may delay your appeal process, which could result in the permanent deletion of your page and account.”
Information Requested in the Form:
Full name
Personal email
Business email
Date of birth (Day/Month/Year)
Mobile phone number
This scam plays a “long game” instead of asking for passwords directly. Once scammers obtain the
requested data, they take further malicious actions:
Impersonate Meta representatives to follow up via email or phone
Trick you into revealing login credentials in subsequent steps
Hijack your business page using account recovery tools
Use your ad account to run fraudulent advertisements
Misuse your identity for other scams, including financial fraud and spear-phishing
For anyone managing Facebook ad accounts, remember to stay vigilant—protecting your account should be a top priority.