Associated Incidents
A new phishing campaign has been tricking users into giving out access to their Meta Business accounts especially Instagram. The scam, detected by the Cofense Phishing Defense Center, uses fake chat support, detailed instructions, and attempts to add itself as a secure login method to hijack business accounts.
The phishing campaign starts with a fake Instagram alert email stating that the user’s ads are suspended due to a violation of advertising laws. The email, which appears to be from Instagram’s support team, asks the user to click on a “Check more Details” button to resolve the issue. However, the email is actually sent from a Salesforce address ([[email protected]](/cdn-cgi/l/email-protection)), not Instagram’s official support email.
This scam is a lot like the one that hit Facebook users back in February 2025, where scammers used automated Salesforce emails to trick people into giving up their login credentials by pretending to be Facebook Copyright Notices.
In the latest scam, when the user clicks on the link for more details, they are redirected to a fake page (businesshelp-managercom) that looks similar to a legitimate Meta Business page. The page informs the user that their account is at risk of suspension and termination and asks them to input their name and business email to proceed to a chat support agent.
The attacker then uses two methods to hijack the business account: a fake tech support chatbot or a supposed “setup guide” with step-by-step instructions. The chatbot asks the user for screenshots of their business account and personal information, while the setup guide provides instructions on how to add Two-Factor Authentication (2FA) to the user’s business account.
If the chatbot phishing attempt is unsuccessful, the attacker provides an instructional guide for adding Two-Factor Authentication (2FA) to the user’s business account. This guide mimics a do-it-yourself way to “fix” the user’s account. Users are directed to click on a “View Account Status” button, which reveals detailed instructions on how to start a “System Check” and fix the problem themselves. However, following these steps gives the attacker another way to log in to the Business Meta account via the hacker’s Authenticator app named “SYSTEM CHECK.”
According to Cofence’s blog post shared with Hackread.com, the attackers have put a lot of effort into making the scam look legitimate. The emails and landing pages closely resemble official Meta communications, and the inclusion of live agent support adds a layer of deception. The attackers even provide video instructions detailing how to trick the user into adding them as a 2FA method.
This phishing campaign stands out from the usual scams and highlights why everyone who uses social media should be aware of common social engineering tricks that scammers use these days. Always double-check the sender and take a close look at the URL before clicking on anything. Using apps like Google Authenticator and Microsoft Authenticator can help block login attempts from suspicious places and unknown devices.