Sophisticated phishing targets Facebook Business accounts via crafted Legal Notice Scams
Key Takeaways
- Target: Facebook Business and advertiser accounts with high ad spend and strong reputation.
- Technique: Fake “Cease and Desist” emails using Dropbox-hosted content, fake CAPTCHA, and a “Browser-in-the-Browser” login window.
- Goal: Hijack brand Pages and access high-value ad accounts and funds.
- Why it Works: Uses real company data, familiar design, and legitimate channels to appear credible.
- Guardio’s Detection: Blocks fake pages instantly before credentials are entered.
- Lesson: Combine awareness with proactive protection—training isn’t enough when deception looks real.
Let’s take a look at a new campaign recently uncovered by Guardio.
We've recently noticed an uptick in efficient and sophisticated phishing. It targets companies with high-value Facebook Business accounts - advertisers who spend large amounts of money and have built a strong reputation on the platform. The ultimate goal of the attack is to gain control over valuable brand Pages and hijacking of high-value ad accounts and all the funds within them.
The attack utilizes well-crafted emails, content hosted on Dropbox (which is whitelisted on many services), fake CAPTACHAs that fool security tools, and a "browser within browser" UX that creates a second address bar, fooling the user.
The Narrative: A Fake Legal Notice
In this case, scammers contacted company support teams directly, using real information such as the company’s name and official Facebook page to make their approach look legitimate, even personalized. Their message looked like a “Cease and Desist” notice from a well-known record label, claiming copyright infringement on one of the company’s Facebook ads.
.png)
Now, if you’re a marketing manager, that’s exactly the kind of message that triggers concern and immediate action - exactly what scammers wanted.
The Trust Illusion: Fake Captcha and “Browser in the Browser”
The email included a Dropbox link to a “document” supposedly containing details about the infringement. Naturally, the support agent forwards it to the marketing manager, who opens the file to understand what’s going on.
.png)
Inside that document is a link to “evidence”, allegedly a Facebook page showing the problematic post. But this link is truncated (so you can’t see the full URL) and doesn’t actually lead to Facebook at all. Clicking it opens a fake Meta-branded CAPTCHA page, carefully designed to build trust and to bypass automatic phishing detection tools. Once you solve the CAPTCHA, a Facebook login popup window appears within a fake browser window.
Browser within Browser : Fully functional browser window that can move distracts the user from the real address bar
.png)
Full Attack Flow:
That login popup isn’t real. It’s a simulated browser window, part of what’s known as a “Browser-in-the-Browser” (BITB) attack, a technique first detailed by security researcher mr.d0x. This fake popup looks authentic, complete with an address bar and familiar design. But it’s just an illusion sitting on top of the phishing page. You can’t move it outside of the browsers like a real popup, you can’t navigate away. It’s pure visual deception aimed at stealing your credentials.
Why This Works — and How to Stay Safe
These scams succeed because they’re psychologically and operationally realistic. They use authentic-looking communication (like legal complaints or brand notices), reach your company through legitimate channels such as support tickets or emails, and use real file-sharing services or forms to add credibility and bypass detection.
That’s why training and awareness are crucial across all departments, not just IT. Everyone should know to pause and question:
- Does this login page look and behave exactly like the real one?
- Why am I suddenly being asked to log in again?
- Did I really log out earlier?
- Is the URL 100% correct?
Guardio’s Role: Catching the Attack Before It Catches You
Even with training, humans make mistakes, and that’s where Guardio steps in. Guardio’s protection detects and blocks fake pages like this “Meta CAPTCHA” site instantly, stopping the attack before anyone can enter credentials.
In this case, Guardio immediately recognized and blocked the malicious page upon click:
.png)
This is exactly the point where the attack becomes a real scam - and where it must be stopped. So even if your support or legal team didn’t catch the deception in time, Guardio would - protecting your people, your accounts, and your company’s assets.
Bottom Line
Scams are evolving fast, blending psychological manipulation with technical trickery. Staying one step ahead means combining awareness with real-time protection for both your personal and business accounts. Guardio keeps you covered from fake login popups to malicious file links, so your team can focus on running your business, not defending it.
FAQs
What should I do if I gave my info to a phishing scam?
Act fast: freeze damage, secure accounts, and enable ongoing monitoring.
- Immediately reset passwords for any affected accounts.
- Use Guardio to run a security scan and enable real-time protection.
- Add your emails and phone number to Guardio's identity monitoring to catch any misuse.
- Report the scam email to your email provider and Guardio support.
How can I tell if a website is legit?
Secure connections, contact verification, and online security tools are your allies. Make sure you check all of these to make sure you’re not falling for a fake online shopping site.
What’s the easiest way to check if an email is legit without clicking anything?
You can inspect suspicious emails safely by checking the sender’s address and hovering over links without clicking.
- Hover (don’t click) on links to preview the URL: scam links often have odd or misspelled domains.
- Check the sender's domain: “@secure-paypal.com” is very different from “@paypal.com.”
- Use Guardio’s Email Security to flag threats before they even reach you.
- Don’t trust attachments unless you’re expecting them from a known contact.
Get more tips from our guide on what to do after clicking a phishing link
What should I do if I accidentally entered my password on a suspicious site?
Act fast: change your password, enable 2FA, and scan for deeper risks.
- Change the password immediately for that account and any reused ones.
- Turn on multi-factor authentication (MFA) if the site offers it.
- Use Guardio to scan for malware or phishing that might have followed the scam.
- Report the site to Guardio to protect others from falling for the same trick.
Use Guardio’s guide on what to do after a data leak.
