Even though Facebook has been around forever, everyone still wants that little blue checkmark next to their name. While Meta (the company that owns Facebook) has an official way to get verified, there’s a new scam going around promising to give you the badge for free.
Security experts are sounding the alarm because it looks like thousands of people have already fallen for it. The trick is that the scam looks incredibly professional and uses platforms you already trust, so it’s easy to get fooled. Researchers say the hackers are specifically hunting for high-value accounts—like those belonging to business owners, influencers, and advertisers—to steal their info and take over their pages.
Researchers over at Guard.io have tracked this specific attack down and are calling it “AccountDumpling.” According to Shaked Chen, one of the lead investigators, the damage is already pretty widespread—more than 30,000 accounts have likely been hacked so far.
Experts believe a group based in Vietnam is behind the whole thing. Their game plan is simple but nasty: they hijack as many social media profiles as they can and then sell them off to the highest bidder on the digital black market.
The cleverest part of this scam is how the hackers are sneaking into your inbox. Instead of sending emails from sketchy, fake-looking addresses that your spam filter would catch, they’re hitching a ride on real services.
Hackers have figured out a way to hijack Google AppSheet, a tool usually meant for business apps and automation. By using its built-in notification system, they can blast out phishing emails that look 100% official. Because the email technically comes from a trusted Google service, it doesn’t set off any red flags, making it way easier to trick people into clicking something they shouldn’t.
Hackers use a mix of fear and greed.
The hackers use a mix of fear and greed. Sometimes they’ll send a scary warning saying your account is about to be deleted for breaking the rules or a copyright strike. Other times, they play it “nice” by offering that coveted blue verification badge for free, promising you can skip the monthly Meta subscription fee.
If you take the bait and click the link, they lead you through a series of official-looking hurdles. They will ask you to solve a CAPTCHA or “log in” to confirm your identity. By the time you are done, you have handed them your password and even your two-factor authentication code, giving them total control of your account.
To stay under the radar, these scammers are getting incredibly technical. They have started using “invisible characters” in their email headers and slightly tweaking the text. To a human eye, the words look perfectly normal, but to a security bot scanning for scams, the message looks like gibberish. It’s a clever way to bypass the filters meant to protect your inbox.
Expert advice:
Avoid clicking on unknown or suspicious links, especially those claiming urgent account updates
Always verify messages through official Facebook channels
Do not share login details or personal information on untrusted pages
Stay alert to phishing attempts that mimic legitimate notifications