The scam begins with the recipient getting an unsolicited message claiming to be from “Meta Business Support”. The message alleges that the recipient’s Facebook/Meta page has been reported for certain violations such as using someone else’s name or photos or sharing misleading content. It claims that this is not the first warning and immediate action needs to be taken to avoid the page being disabled permanently.
The message then provides a link to a fake Facebook page asking the recipient to “Confirm your account” within 24 hours. This phishing page is designed to harvest personal information and login credentials or spread malware to the victim’s device.
The scam message is carefully crafted to cause panic and urge urgent action from the recipient. It uses the names of legitimate platforms like Meta and incorporates official-sounding language related to intellectual property violations. This is done to exploit the trust users have in Facebook/Meta and their fear of losing access to their page which often represents a business asset.
How the Scam Works
Here is a step-by-step breakdown of how the “Meta Business Support” phishing scam operates:
1. Unsolicited Message
The scam starts with an unsolicited message sent to the victim’s Facebook inbox. The sender name is shown as “Meta Business Support” to appear credible.
A sample message reads:
Sender: Meta Business Support,
Your Page Has Been Disabled.
I.N.C. International Concepts has reported that your article:
1. Using someone else’s fake name/photo.
2. Share content that misleads other users.
We’ve warned in the past that if you continue to post content on your page that infringes someone else’s intellectual property rights, your Page will be disabled. If you believe this is an error in our system, please verify your
account at the link below. Account Confirmation: https://mfb.social/p/help/
Confirm your account within the next 24 hours otherwise our your Page may be permanently disabled. Meta Security Team.
The message uses scare tactics like mentioning past warnings and the impending permanent disablement of the page. This is done to create a sense of urgency.
2. Phishing Link
The message includes a link to a fake domain “mfb.social” which has no connection to the official facebook.com or meta.com.
This deceptive link directs to a phishing page masquerading as a Facebook account verification page. The look and feel of this page are very similar to real Facebook, including the company logo and branding.
3. Submit Credentials
Once on the phishing page, the user is asked to verify their account by submitting their login credentials and personal information. These details are then harvested by the scam operators.
In some cases, the page may contain a malware file disguised as an update that infects the victim’s device when downloaded.
4. Account Compromised
With the user’s login details, the scammers can now access their Facebook account and page. They use this to send more phishing messages to the victim’s friends and contacts, thereby spreading the scam further.
The account access also allows them to post spam content or malicious links using the victim’s identity. They may even attempt to extort money from the victim by threatening to disable their page.
This can result in the legitimate account being disabled by Facebook/Meta for suspicious activity. The victim may also suffer financial loss and identity theft if sensitive information was shared.
What to Do If You Get This Message
If you receive a suspicious message claiming to be from Meta Business Support or mentioning the I.N.C. International Concepts complaint:
- Do not click on any links provided in the message. They will direct to a fake website intended to steal your information.
- Check the sender’s email address. Scam messages usually come from non-official email IDs. Meta/Facebook will never email you from addresses like @outlook.com or @gmail.com.
- Look for spelling/grammar mistakes. Legitimate messages from Meta are professionally written and free of errors. Scams tend to have typos, awkward phrasings and incorrect grammar.
- Verify directly with Meta. If concerned, log into your Facebook account and check for any notifications about your page being at risk. Contact Meta Business Support through official channels like live chat for confirmation.
- Report the message. Use Facebook/Meta’s reporting tools to flag the scam message as fraudulent so they can address it. This helps protect other users.
- Change account passwords. If you shared personal info, immediately change your Facebook, email and other account passwords. Enable two-factor authentication for added security.
- Scan devices for malware. If you downloaded any files, get your devices scanned by antivirus software to remove any potential malware or spyware.
What to Do If You Already Submitted Your Info
If you already provided your login credentials or personal information through the phishing site before realizing it’s a scam, take these steps right away:
- Secure your accounts. Change the passwords for your Facebook/Meta account, email, and any other accounts using the same credentials. Enable login approvals/multi-factor authentication wherever possible.
- Check for unauthorized access. Review all recent posts and activity on your Facebook page to see if the scammers have accessed your account already. Check connected apps and remove anything suspicious.
- Report compromised account. Use Facebook/Meta’s account recovery and hacking reporting process to get help securing and recovering your account.
- Contact banks/credit bureaus. If banking information or government IDs were shared, notify your financial institutions and credit bureaus to watch for suspicious activity.
- Monitor accounts and credit reports. Be vigilant about checking bank statements, credit reports and account activity over the next few months for any signs of misuse of your personal information.
The “Meta Business Support” scam is an attempt to misuse the Meta brand to deceive page owners into compromising their account security and personal data. Always verify unfamiliar messages before acting. Use official Meta channels for any account-related issues. Be vigilant about phishing risks to protect yourself and your audience on social media.
Here are 10 basic security tips to help you avoid malware and protect your device:
Use a good antivirus and keep it up-to-date.
It’s essential to use a good quality antivirus and keep it up-to-date to stay ahead of the latest cyber threats. We are huge fans of Malwarebytes Premium and use it on all of our devices, including Windows and Mac computers as well as our mobile devices. Malwarebytes sits beside your traditional antivirus, filling in any gaps in its defenses, and providing extra protection against sneakier security threats.
Keep software and operating systems up-to-date.
Keep your operating system and apps up to date. Whenever an update is released for your device, download and install it right away. These updates often include security fixes, vulnerability patches, and other necessary maintenance.
Be careful when installing programs and apps.
Pay close attention to installation screens and license agreements when installing software. Custom or advanced installation options will often disclose any third-party software that is also being installed. Take great care in every stage of the process and make sure you know what it is you’re agreeing to before you click “Next.”
Install an ad blocker.
Use a browser-based content blocker, like AdGuard. Content blockers help stop malicious ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not stop.
Be careful what you download.
A top goal of cybercriminals is to trick you into downloading malware—programs or apps that carry malware or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather.
Be alert for people trying to trick you.
Whether it’s your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to messages. Remember that it’s easy to spoof phone numbers, so a familiar name or number doesn’t make messages more trustworthy.
Back up your data.
Back up your data frequently and check that your backup data can be restored. You can do this manually on an external HDD/USB stick, or automatically using backup software. This is also the best way to counter ransomware. Never connect the backup drive to a computer if you suspect that the computer is infected with malware.
Choose strong passwords.
Use strong and unique passwords for each of your accounts. Avoid using personal information or easily guessable words in your passwords. Enable two-factor authentication (2FA) on your accounts whenever possible.
Be careful where you click.
Be cautious when clicking on links or downloading attachments from unknown sources. These could potentially contain malware or phishing scams.
Don’t use pirated software.
Avoid using Peer-to-Peer (P2P) file-sharing programs, keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.
To avoid potential dangers on the internet, it’s important to follow these 10 basic safety rules. By doing so, you can protect yourself from many of the unpleasant surprises that can arise when using the web.