In a disturbing evolution of social engineering, cybercriminals have launched an elaborate phishing campaign designed to hijack Meta Business accounts—complete with convincingly fake chat support, detailed setup guides, and a cunning abuse of Meta’s own two-factor authentication system.
Discovered by the Cofense Phishing Defense Center (PDC), this campaign takes aim at small and midsize businesses who rely heavily on Instagram and Facebook advertising. The attack begins with a jarring subject line: "YOUR ADS ARE TEMPORARILY SUSPENDED", accompanied by a spoofed support email impersonating Instagram, with bogus claims of policy violations and references to GDPR regulations. The intent? Induce panic. And it works.
“This isn’t your average phishing attempt,” said a Cofense spokesperson. “The attackers went above and beyond, not only spoofing Meta’s branding with precision but also simulating a full customer service experience.”
The Setup: A Panic-Inducing Email
The phishing email mimics Instagram’s branding and suggests that a user’s ads have been pulled due to legal violations. Clicking on the call-to-action—“Check more Details”—redirects the user to a professional-looking page impersonating Meta Business Help. Despite appearances, the URL (e.g., businesshelp-manager[.]com) is a dead giveaway of its illegitimacy.
Once there, victims are given two routes: speak with a “support agent” via chatbot or follow a do-it-yourself guide to “restore” their account.
Spoiler alert: both paths lead straight to account compromise.
The Hook: Fake Chatbots and Phony Fixes
Opting for the chatbot opens up what appears to be a live support dialogue. Victims are asked to share their business name, screenshots of their Meta Business Suite, and even their personal contact number—under the guise of security verification.
In parallel, the attackers present a second option: a “System Check” guide complete with step-by-step instructions and a seemingly helpful video. But the goal is the same—to trick users into adding the attacker’s device as a secure login method through Meta’s two-factor authentication (2FA) settings.
The hacker's endgame? Persistent access to the victim’s Meta account, which can be used for ad fraud, data theft, or selling access on the dark web.
Exploiting 2FA: When Security Becomes the Threat
Where this campaign stands out is in its manipulation of Meta’s own security features. Users are coached—either by the fake chatbot or the step-by-step guide—on how to manually add a 2FA device named “SYSTEM CHECK.” This is not a diagnostic tool, but the attacker’s own authenticator app, giving them full control over the account.
"The attackers know that trust in automation is growing," said the Cofense spokesperson. "By simulating Meta’s tech support experience, they’re short-circuiting the user’s skepticism. It’s social engineering wrapped in a UX design lesson."
Why This Campaign Is Dangerous
There’s a chilling sophistication to this phishing campaign. The fake landing pages are pixel-perfect clones. The email’s tone and urgency are expertly crafted. Even the chatbot’s responses are designed to mirror those of actual Meta support reps, right down to the wait times and escalation language.
More importantly, this scam targets businesses—entities for whom account access directly impacts revenue. The potential fallout includes disrupted ad campaigns, lost customer data, reputational damage, and in some cases, financial fraud.
The Takeaway: Slow Down and Verify
In the arms race between attackers and defenders, phishing campaigns like this demonstrate how far the threat actors are willing to go.
“If something feels off—like being asked to add a new device for 2FA or enter your credentials after clicking a link—don’t do it,” the Cofense team advises. “Instead, log into your account directly through the official site and check for alerts there.”
As social media becomes increasingly intertwined with core business operations, threat actors are adapting with frightening agility. The best defense, for now, is vigilance. And maybe, a little paranoia.
Pro Tips to Stay Safe ✔️ Never click on suspicious email links—especially ones urging urgent action ✔️ Always double-check the URL before entering any credentials ✔️ Use security keys or app-based 2FA that require physical verification ✔️ Report phishing emails to your internal IT/security team or directly to Meta
Stay sharp out there—because the bots are getting smarter, and so are the humans behind them.