A new phishing campaign masquerading as Meta’s support team, is designed to deceive Facebook Page administrators into handing over sensitive login credentials and two-factor authentication (2FA) codes. The scam uses social engineering tactics and multiple spoofed Meta pages to manipulate users through a staged “copyright violation” appeal process.
What the scam looks like
The email, titled “Notification: Please Review Your Recent Image Activity”, claims to come from an official-sounding sender such as “Account Inspection Department” using the address `support(at)platformbyfb(dot)com`. In reality, this is a malicious phishing attempt, with some display names amusingly mistyped as “Support Coordination Roo” instead of “Room”.
Here's what the email looks like 👇
The message urges the recipient to review a copyright concern affecting their Facebook Page to “maintain your page’s good standing” and avoid removal.
What happens when you click "Review Copyright Notice"?
Clicking the button takes the victim to a spoofed Meta “Privacy Center” page hosted on a fake domain that closely mimics Meta’s real business support layout and branding.
The scam then leads victims through a multi-step data harvesting process disguised as a compliance appeal:
1. Personal Details
The user is asked to provide full name, email address, page name, phone number, and date of birth.
2. Facebook Password Prompt
Next, the user is asked to verify their Facebook password.
3. Password Rejected Loop
The scam tells the user the password is incorrect, encouraging re-entry (harvesting both attempts).
4. 2FA Code Request
A third step requests a two-factor authentication code, usually sent via SMS or authentication app.
5. 2FA Error Message
Even if entered correctly, the code is said to be incorrect — prompting further attempts.
6. Request Sent Confirmation, Return to Facebook
To maintain the illusion, the final screen confirms the “appeal has been submitted” and redirects to the real Facebook login page.
What makes this attack credible?
Branding: The fake pages imitate Meta’s UI very closely, including icons, legal disclaimers, and layout.
Language: The copy uses consistent legalese and “compliance tone” to apply pressure.
Recipient Targeting: Sent to generic addresses like `sales@`, `info@`, and `enquiries@`, suggesting a wide net cast across small business pages.
False Urgency: Threats of page deletion within 24 hours create a panic-driven response.
Stay Safe - Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
