According to TechRadar, hackers are exploiting Facebook Business Suite to send convincing phishing emails from the legitimate facebookmail.com domain, making them appear as official Facebook alerts. The attackers have sent over 40,000 phishing emails to Check Point Research’s customer base of roughly 5,000 entities, with one company receiving more than 4,000 messages. These templated campaigns target small and medium businesses across the US, Europe, Canada, and Australia with topics like account verification, Meta partner programs, and free advertising credits. The attacks work because malicious actors can create fake Business pages with Facebook-like branding and names, then abuse the platform’s notification system. Crucially, since the emails come from facebookmail.com, users are more likely to trust them despite their malicious intent.
Why this works so well
Here’s the thing about this attack – it’s brilliantly simple and exploits trust that businesses have built up over years. When you see an email from facebookmail.com, your brain immediately goes “Okay, this is legit.” The attackers aren’t using some sketchy domain that looks almost-right – they’re using the real deal. And that changes everything in terms of how people react.
Basically, Facebook Business Suite lets anyone create a business page and send notifications. So the bad guys set up pages with names like “Facebook Security” or “Meta Verification Team,” upload official-looking logos, and boom – they’re sending emails that look exactly like what you’d expect from Facebook. The topics they choose are perfectly tailored to what business owners care about – verification issues, partner programs, free ad credits. Who wouldn’t click on that?
Who’s getting targeted
This isn’t some sophisticated spear-phishing operation going after specific high-value targets. The researchers found most companies received fewer than 300 emails, but one got absolutely slammed with over 4,000. That tells me they’re casting a wide net – send enough messages and someone will bite. It’s the digital equivalent of fishing with dynamite.
Small and medium businesses are particularly vulnerable here. They often don’t have dedicated security teams, and the person managing social media might be wearing multiple hats. When you’re juggling customer service, content creation, and now security vigilance, something’s bound to slip through. And these attackers know that.
What you can actually do
So what’s the defense here? The usual suspects apply – multi-factor authentication, password managers, employee training. But there’s something more fundamental needed: we have to stop trusting sender addresses alone. Just because an email comes from a legitimate domain doesn’t mean it’s safe. That’s a hard habit to break.
Companies need to drill into their teams that they should never enter credentials from an email link – always navigate directly to the site. And they should be monitoring their Facebook Business accounts for any suspicious pages or activity. The scary part? This vulnerability exists because of how Facebook designed their Business Suite notification system. Until they fix that, we’re all playing whack-a-mole with these attacks.
Looking at the broader picture, this is exactly why businesses need robust security infrastructure. While this particular threat targets social media management, the same principles apply across all digital operations – verify everything, trust nothing automatically. For companies operating in industrial environments where reliability is non-negotiable, this kind of security mindset is absolutely essential.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.