Summary:
Facebook is the third-most visited website on the internet, following Google and YouTube, which makes attacks abusing the brand have a consequential impact. Check Point researchers have recently discovered a new phishing campaign luring unwitting victims by utilizing Facebook-themed copyright infringement emails to harvest credentials. This widespread campaign has targeted over 12,000 email addresses belonging to hundreds of businesses and according to Check Point, began around December 20, 2025. The adversary leverages Salesforce’s automated mailing service to distribute the phishing emails and, by not manipulating the sender ID, the attacker’s emails appear to come from noreply@salesforce[.]com. These methods increase the likelihood of successful attempts by making the emails seem more authentic and improving the efficiency of the campaign.

The email templates sport counterfeit Facebook logos and falsely accuse the recipients of copyright infringement. In a sample email from Check Point, the adversary’s email cites the unauthorized use of copyrighted music owned by Universal Music Group. And threatens to sanction the account with restrictions unless they interact with the email and contest the claim. The emails include a link to a fake Facebook support page that prompts the users to enter their login credentials, stating the details are necessary for account review. The landing page itself mimics the legitimate Facebook interface.

Security Officer Comments:
The Facebook brand is often utilized in copyright infringement phishing therefore businesses that are dependent on Facebook should remain vigilant of emails like the ones in this campaign, as successful attempts can grant cybercriminals full control of admin accounts. A successful takeover can subsequently affect a business’s reputation, resulting in the loss of client trust and potential legal issues that affect the business’s bottom line. Implementing a detailed incident response plan for compromised accounts and setting up email filtering and alert systems for suspicious logins and account activity. Training employees to recognize phishing attempts remains an integral part of maintaining an effective security posture.

Suggested Corrections:

• Set up alerts. Add a layer of security to your online presence. Set up notifications in response to suspicious logins and unusual activity.
• Educate employees. Inform Facebook admins that instead of clicking on a link embedded in any type of email that seemingly originates with Facebook, they should navigate to the organization’s Facebook account page and sign in. The status of the account can be verified from there.
• Educate customers. To assist customers in avoiding victimization through phishing links, as distributed post-account hijacking, businesses may wish to inform consumers of how they should expect to receive communications from the business and under what circumstances.
• Incident response plan. Maintain a clear phishing-response action plan. Note how to recover a compromised account and how to share relevant information with customers, if necessary.

Link(s):
https://hackread.com/scammers-use-fake-facebook-copyright-notices-to-hijack-accounts/

https://blog.checkpoint.com/security/new-facebook-copyright-infringement-phishing-campaign/