Reading view

Thousands of Facebook accounts stolen by phishing emails sent through Google

Researchers have uncovered a long-running phishing operation that abuses trusted Google services to hijack tens of thousands of Facebook accounts.

The compromised Facebook accounts are mainly business and advertiser profiles, which criminals can monetize after gaining access and control.

The attackers found a way to send phishing emails that come “through Google,” making them look legitimate at first glance. The emails are sent via Google’s AppSheet platform, so they pass the usual technical checks (SPF, DKIM, DMARC), and many email filters treat them as trusted.

Google AppSheet is a development platform that lets people build mobile and web apps without writing code. It can automate workflows and notifications, typically used to send app-driven alerts and internal updates.

And that’s where the phishers abused it. The sender name can be customized, and the sending address may look something like noreply@appsheet.com, delivered through appsheet.bounces.google.com. To the average user, it looks like a perfectly normal notification, in these cases often about Facebook policy violations, copyright complaints, or verification issues.

Researchers linked these emails to a Vietnamese‑linked operation that has already compromised around 30,000 Facebook accounts and is still active.

The stolen accounts are mostly pages and business profiles that have financial value: advertising accounts, brand pages, and companies that rely on Facebook for marketing. Once inside, attackers run scams, place fraudulent ads, or sell access to others. In some cases, the same group offers “account recovery” services to fix the problems they created.


Scam or legit? Scam Guard knows.


No matter the lure, the goal is the same: Facebook credentials, 2FA codes, and recovery data. The phishing sites are just the entry point. Behind them is a fairly industrial infrastructure built around Telegram bots and channels to collect and process stolen data.

How to stay safe

This campaign is not “just another phishing mail.” It is one more example of how attackers exploit the trust we place in major platforms.

Facebook does not send complaints, verification requests, security checks, job offers, and other urgent messages through Google infrastructure.

  • Any email that claims your Facebook or Instagram account is about to be disabled, locked, or punished deserves extra scrutiny, especially if it demands action within 24 hours.
  • If you get a worrying message about your account, go directly to facebook.com or the Facebook app. Don’t click links in the message.
  • If a form asks for password, multiple 2FA codes, date of birthm phone number, and ID photos in one go, then stop. That’s the “full recovery pack” these attackers need to take over your account.
  • Set up 2FA for Facebook and set up login alerts for new devices and locations.
  • Be cautious with unusual messages from Facebook accounts. The account itself may be compromised.

Pro tip: Malwarebytes Scam Guard can help you spot phishing emails and messages on any platform. You can even use it in Claude and ChatGPT.


Someone’s watching your accounts. Make sure it’s us.


  •  

Meta rolls out anti-scam tools across WhatsApp, Facebook, and Messenger

Meta has rolled out more anti-scam protections across WhatsApp, Facebook, and Messenger to fight sophisticated fraud tactics. The features will help stop celebrity impersonators and brand spoofers from defrauding its users, the company said.

Meta is also targeting attackers who exploit legitimate platform features like device linking to hijack accounts. People use this feature to connect more than one of their devices to their account, enabling them to flit between their phone and their computer without skipping a beat.

Scammers fool users into sharing phone numbers and linking codes that then let them link their own malicious devices to the user’s account. They can then access the victim’s messages and send messages impersonating them. Victims usually retain account access, making breaches harder to detect.

More protections in Facebook and Messenger

The protections go beyond WhatsApp. Meta has also deployed AI-powered protections across Facebook and Messenger to catch fraudsters before they hook victims. Facebook will now test warnings for friend requests that seem fishy, flagging profiles with few mutual connections or mismatched locations.

Messenger’s scam detection can also identify patterns like bogus job offers from new contacts. Users can submit suspicious chats for AI review, which analyzes text, images, and contextual signals to spot celebrity impersonation schemes. So if Brad Pitt’s mum appears to be matchmaking, you’ll have a digital wingman to restore your sense of reality.

The new measures also spot brand spoofing and deceptive links, so if someone tries to direct you to a fake website for a well-known company, Meta will do its best to block that.

Malwarebytes users benefit from similar protection through Scam Guard, which analyzes suspicious messages, links, and conversations across multiple platforms, not just one app.

There’s more at play than just altruism

This is part of an ongoing anti-scam campaign by Meta, which launched anti-scam protections on WhatsApp and Messenger last October. It also says that it removed more than 159 million scam ads and dismantled 10.9 million accounts on Facebook and Instagram linked to criminal operations in 2025. It also participated in a global law enforcement operation that arrested 21 suspects and shuttered more than 150,000 accounts linked to Southeast Asian scam networks.

Still, the move may not be entirely altruistic. Regulators have been demanding answers from Facebook about the extent to which it fights scams. Forty-two state attorneys general wrote to the tech giant last June about investment scam ads on its platform. And in November, Consumer Reports asked the FTC and state attorneys to take action against the company over:

“knowingly allowing the proliferation of billions of scam advertisements.”

That request likely stemmed from reports last year suggesting Meta has constrained some anti-scam measures. Reuters reported that the company limited anti-scam enforcement to actions costing no more than 0.15% of total revenue. Internal documents also reportedly estimated that the company received $16bn in revenue from scam ads (an estimate Meta later disputed as “rough and overly inclusive”).

Meta has said it wants 90% of its ad revenue to come from verified advertisers by 2026, up from around 70% today, in an effort to reduce scam advertising on its platforms.

September also saw the European Commission request information from Apple, Booking.com, Bing, Google Play, and Google Search about how they identify and manage risks related to financial scams under the Digital Services Act. While they didn’t explicitly mention Meta, scrutiny about platforms’ scam-fighting efforts in the EU is clearly increasing.

Nevertheless, the new protections arrive at a timely moment. Dutch intelligence recently warned about phishing campaigns targeting government employees through Signal and WhatsApp. The operation relies on social engineering techniques that abuse legitimate authentication features.

Scams continue to bite consumers hard. Americans lost $13.7bn to cyber-enabled fraud in 2024, according to the FBI’s April 2025 Internet Crime Report


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

  •  

Child exploitation, grooming, and social media addiction claims put Meta on trial

Meta is facing two trials over child safety allegations in California and New Mexico. The lawsuits are landmark cases, marking the first time that any such accusations have reached a jury. Although over 40 state attorneys general have filed suits about child safety issues with social media, none had gone to trial until now.

The New Mexico case, filed by Attorney General Raúl Torrez in December 2023, centers on child sexual exploitation. Torrez’s team built their evidence by posing as children online and documenting what happened next, in the form of sexual solicitations. The team brought the suit under New Mexico’s Unfair Trade Practices Act, a consumer protection statute that prosecutors argue sidesteps Section 230 protections.

The most damaging material in the trial, which is expected to run seven weeks, may be Meta’s own paperwork. Newly unsealed internal documents revealed that a company safety researcher had warned about the sheer scale of the problem, claiming that around half a million cases of child exploitation are happening daily. Torrez did not mince words about what he believes the platform has become, calling it an online marketplace for human trafficking. From the complaint:

“Meta’s platforms Facebook and Instagram are a breeding ground for predators who target children for human trafficking, the distribution of sexual images, grooming, and solicitation.”

The complaint’s emphasis on weak age verification touches on a broader issue regulators around the world are now grappling with: how platforms verify the age of their youngest users—and how easily those systems can be bypassed.

In our own research into children’s social media accounts, we found that creating underage profiles can be surprisingly straightforward. In some cases, minimal checks or self-declared birthdates were enough to access full accounts. We also identified loopholes that could allow children to encounter content they shouldn’t or make it easier for adults with bad intentions to find them.

The social media and VR giant has pushed back hard, calling the state’s investigation ethically compromised and accusing prosecutors of cherry-picking data. Defence attorney Kevin Huff argued that the company disclosed its risks rather than concealing them.

Yesterday, Stanford psychiatrist Dr. Anna Lembke told the court she believes Meta’s design features are addictive and that the company has been using the term “Problematic Internet Use” internally to avoid acknowledging addiction.

Meanwhile in Los Angeles, a separate bellwether case against Meta and Google opened on Monday. A 20-year-old woman identified only as KGM is at the center of the case. She alleges that YouTube and Instagram hooked her from childhood. She testified that she was watching YouTube at six, on Instagram by nine, and suffered from worsening depression and body dysmorphia. Her case, which TikTok and Snap settled before trial, is the first of more than 2,400 personal injury filings consolidated in the proceeding. Plaintiffs’ attorney Mark Lanier called it a case about:

“two of the richest corporations in history, who have engineered addiction in children’s brains.”

A litany of allegations

None of this appeared from nowhere. In 2021, whistleblower Frances Haugen leaked internal Facebook documents showing the company knew its platforms damaged teenage mental health. In 2023, Meta whistleblower Arturo Béjar testified before the Senate that the company ignored sexual endangerment of children.

Unredacted documents unsealed in the New Mexico case in early 2024 suggested something uglier still: that the company had actively marketed messaging platforms to children while suppressing safety features that weren’t considered profitable. Internal employees sounded alarms for years but executives reportedly chose growth, according to New Mexico AG Raúl Torrez. Last September, whistleblowers said that the company had ignored child sexual abuse in virtual reality environments.

Outside the courtroom, governments around the world are moving faster than the US Congress. Australia banned under 16s from social media in December 2025, becoming the first country to do so. France’s National Assembly followed, approving a ban on social media for under 15s in January by 130 votes to 21. Spain announced its own under 16 ban this month. By last count, at least 15 European governments were considering similar measures. Whether any of these bans will actually work is uncertain, particularly as young users openly discuss ways to bypass controls.

The United States, by contrast, has passed exactly one major federal child online safety law: the Children’s Online Privacy Protection Act (COPPA), in 1998. The Kids Online Safety Act (KOSA), introduced in 2022, passed the Senate 91-3 in mid-2024 then stalled in the House. It was reintroduced last May and has yet to reach a floor vote. States have tried to fill the gap, with 18 proposed similar legislation in 2025, but only one of those was enacted (in Nebraska). A comprehensive federal framework remains nowhere in sight.

On its most recent earnings call, Meta acknowledged it could face material financial losses this year. The pressure is no longer theoretical. The juries in Santa Fe and Los Angeles will now weigh whether the company’s design choices and safety measures crossed legal lines.

If you want to understand how social media platforms can expose children to harmful content—and what parents can realistically do about it—check out our research project on social media safety.


We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

  •  

Meta confirms it’s working on premium subscription for its apps

Meta plans to test exclusive features that will be incorporated in paid versions of Facebook, Instagram, and WhatsApp. It confirmed these plans to TechCrunch.

But these plans are not to be confused with the ad-free subscription options that Meta introduced for Facebook and Instagram in the EU, the European Economic Area, and Switzerland in late 2023 and framed as a way to comply with General Data Protection Regulation (GDPR) and Digital Markets Act requirements.

From November 2023, users in those regions could either keep using the services for free with personalized ads or pay a monthly fee for an ad‑free experience. European rules require Meta to get users’ consent in order to show them targeted ads, so this was an obvious attempt to recoup advertising revenue when users declined to give that consent.

This year, users in the UK were given the same choice: use Meta’s products for free or subscribe to use them without ads. But only grudgingly, judging by the tone in the offer… “As part of laws in your region, you have a choice.”

As part of laws in your region, you have a choice
The ad-free option that has been rolling out coincides with the announcement of Meta’s premium subscriptions.

That ad-free option, however, is not what Meta is talking about now.

The newly announced plans are not about ads, and they are also separate from Meta Verified, which starts at around $15 a month and focuses on creators and businesses, offering a verification badge, better support, and anti‑impersonation protection.

Instead, these new subscriptions are likely to focus on additional features—more control over how users share and connect, and possibly tools such as expanded AI capabilities, unlimited audience lists, seeing who you follow that doesn’t follow you back, or viewing stories without the poster knowing it was you.

These examples are unconfirmed. All we know for sure is that Meta plans to test new paid features to see which ones users are willing to pay for and how much they can charge.

Meta has said these features will focus on productivity, creativity, and expanded AI.

My opinion

Unfortunately, this feels like another refusal to listen.

Most of us aren’t asking for more AI in our feeds. We’re asking for a basic sense of control: control over who sees us, what’s tracked about us, and how our data is used to feed an algorithm designed to keep us scrolling.

Users shouldn’t have to choose between being mined for behavioral data or paying a monthly fee just to be left alone. The message baked into “pay or be profiled” is that privacy is now a luxury good, not a default right. But while regulators keep saying the model is unlawful, the experience on the ground still nudges people toward the path of least resistance: accept the tracking and move on.

Even then, this level of choice is only available to users in Europe.

Why not offer the same option to users in the US? Or will it take stronger US privacy regulation to make that happen?


We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

  •  
❌