Phishing & Social EngineeringSecurity Awareness TipsThreat Intelligence

Facebook Phishing Through Google: What Teams Should Do

Marcus Chen··7 min read
Marketing employee reviewing a social media account alert on a laptop

A Trusted Sender Is No Longer Enough

Security teams have spent years teaching employees to look for spoofed senders, broken domains, and failed email authentication. That advice still matters, but a recent Facebook phishing campaign shows why it is no longer enough on its own.

On May 4, 2026, Malwarebytes reported on a long-running phishing operation that used Google's AppSheet platform to send convincing emails about Facebook policy violations, copyright complaints, verification issues, and account security checks. The original research from Guardio Labs tracks the campaign as AccountDumpling and estimates more than 30,000 Facebook accounts were compromised.

The targets were not random personal accounts. Many were business pages, advertiser accounts, brand profiles, and people who manage Facebook assets with real financial value. Once attackers gained control, they could run fraudulent ads, impersonate trusted brands, sell access, or offer fake account recovery services to the same victims.

How the AppSheet Abuse Worked

Google AppSheet is a legitimate no-code platform used to build apps, automate workflows, and send notifications. That legitimate purpose is exactly what made the phishing campaign effective. The emails could appear to come from [email protected] and be delivered through Google-controlled infrastructure such as appsheet.bounces.google.com.

From a purely technical email-authentication perspective, that can look clean. SPF, DKIM, and DMARC may pass because Google really did send the message. The problem is that those checks answer a narrow question: did the message come from an authorized system? They do not answer the human question that matters most: is this message truthful, expected, and safe to act on?

This is the trust inversion defenders now have to plan for. Attackers are not only spoofing brands anymore. They are abusing trusted services, collaboration platforms, file-sharing tools, app builders, and notification systems to carry malicious messages through otherwise reputable channels.

Why Facebook Business Accounts Are Valuable

For criminals, a Facebook business account is more than a login. It may include ad spend access, brand reputation, payment methods, audience data, connected Instagram assets, and permissions across multiple pages. That makes it useful as both a target and a launchpad.

The phishing pages in this campaign were designed to collect more than a password. Depending on the lure, victims could be asked for contact details, business information, recovery data, date of birth, phone number, multiple two-factor authentication codes, and even ID images. That collection pattern matters because attackers are not just trying to log in once. They are trying to take over the account and make recovery harder for the rightful owner.

The lures also matched the pressure points that matter to marketing and business teams. A page disablement warning threatens revenue and reputation. A copyright complaint suggests legal trouble. A verification issue or blue badge review plays on status and opportunity. A fake recruiter message can shift the victim from email into a live conversation. Different emotional hooks, same outcome: move fast, click the link, submit the recovery pack.

Red Flags Your Team Should Recognize

This campaign is a useful reminder that employees should not treat a passing sender check as a final safety decision. They need simple, practical patterns they can apply under pressure.

Urgent Account Threats

Messages that claim a Facebook or Instagram account will be disabled, locked, punished, or restricted within 24 hours deserve extra scrutiny. Real account issues should be verified directly inside the platform, not through a link in an email.

Unexpected Google Infrastructure

Facebook and Instagram do not normally send policy complaints, verification requests, job offers, or security checks through Google AppSheet notifications. If the topic is Meta but the delivery path points to a generic app notification service, treat that mismatch as a warning sign.

Credential and Recovery Overcollection

A legitimate appeal process should not ask for a password, repeated 2FA codes, business details, phone number, date of birth, and ID images in one flow. When a form asks for enough information to control the account and reset recovery options, stop immediately.

Links That Avoid the Official App

The safest response to a scary platform message is to open the official Facebook or Instagram app directly, or type the known domain into the browser. If there is a real restriction, it should appear in the account's own support inbox or security center.

Odd Messages From Real Accounts

Compromised accounts are often reused to attack more people. An unusual message from a real Facebook account, brand page, or colleague can still be malicious if the account is no longer under the rightful owner's control.

How empowsec Helps Turn This Into Behavior

The lesson from this campaign is not "employees should read headers like analysts." The lesson is that teams need repeatable behavior when a message creates pressure, looks plausible, and arrives through a service they recognize.

empowsec helps organizations build that behavior in three connected ways.

Realistic Phishing Simulations

Security awareness works best when simulations reflect what attackers are doing now. With empowsec, organizations can run phishing simulations that mirror current lures such as platform policy warnings, social media account alerts, fake verification requests, recruiter outreach, and business-page security notices. Employees practice pausing, checking the destination, and reporting instead of reacting.

Targeted Training After the Click

When someone clicks or submits data in a simulation, the goal is not punishment. The goal is immediate learning. empowsec can connect simulation outcomes to focused microlearning so employees understand the exact cue they missed: the unexpected delivery channel, the urgency, the link destination, or the overcollection of recovery data.

One-Click Reporting and Measurable Response

Fast reporting is critical when a campaign is active. empowsec's email reporting workflows help employees send suspicious messages to the right team without copying headers or guessing the process. Security teams can then track reports, review patterns, and measure which departments are detecting suspicious messages before they become incidents.

That closed loop matters. Training teaches the pattern. Simulations test the pattern. Reporting proves the pattern is being used against real messages. Over time, security teams get a clearer view of risk by team, role, and behavior, not just by annual training completion.

What Security Teams Should Do Now

If your organization manages Facebook pages, Instagram business accounts, or paid advertising accounts, treat this campaign as a prompt to tighten both technical controls and employee workflows.

  • Review Meta admin access. Remove stale page admins, agency users, and former employees from business assets.
  • Require strong MFA. Use authenticator apps or security keys where possible, especially for employees with page or ad account privileges.
  • Enable login alerts. Make sure account owners receive alerts for new devices and locations.
  • Document the verification path. Tell employees to check Facebook or Instagram account status only through the official app or known domain.
  • Refresh phishing simulations. Add current trusted-platform abuse scenarios, not only classic spoofed-domain examples.
  • Make reporting effortless. The faster employees report suspicious messages, the faster security teams can warn others and contain the threat.

Key Takeaways

The Facebook AppSheet campaign is a strong example of where phishing is heading: attackers are borrowing the trust of major platforms instead of relying only on fake infrastructure.

  • Authentication is not intent. SPF, DKIM, and DMARC can confirm the sending platform without proving the message is legitimate.
  • Business social accounts are high-value assets. Treat page and ad account access like any other privileged business system.
  • Recovery data is sensitive. Passwords, repeated 2FA codes, ID images, and personal details can give attackers durable control.
  • Verification should happen out of band. Go directly to the official app or website instead of following email links.
  • Training must match current attacks. empowsec helps teams practice, report, and improve against the types of phishing campaigns employees are actually seeing.

Trusted services will continue to be abused because trust is exactly what attackers want to borrow. The best defense is a workforce that knows how to pause, verify, and report even when the sender looks familiar.

Tags: #phishing #employee training #email security #Facebook #Google AppSheet #MFA
Share:

Related Posts