Skip to content

Salesforce emails used in massive Facebook phishing attack

  • by
  • 3 min read

A newly identified phishing campaign is leveraging the immense reach of Facebook to target hundreds of companies across the globe using Salesforce emails. According to researchers, the scam — which has affected over 12,000 email addresses — began circulating on December 20, 2024, and is now making waves in the EU, US, Australia, and even non-Western regions, with emails in Chinese and Arabic also reported.

Cybercriminals behind the campaign have found a novel way to gain trust by using Salesforce’s automated mailing service to send deceptive emails without breaching its security or altering the sender’s details.

By retaining the sender ID as noreply@salesforce.com, the phishing emails appear legitimate, exploiting users’ inherent trust in both Salesforce and Facebook. The fraudulent messages prominently feature a counterfeit version of the Facebook logo and warn recipients of alleged copyright violations — an alarming tactic intended to prompt quick action from unsuspecting users.

This is an image of facebook phishing checkpoint ss1
A sample of the phishing emails containing fake Facebook images. | Source: Check Point

Once the recipient clicks on a link, they are directed to a fake Facebook support page designed to harvest credentials. The landing page uses language that implies the need to provide details to have the account ‘reviewed’ rather than simply disabled, further increasing the likelihood that targets will unwittingly surrender sensitive login information.

“Recipients who mistakenly believe one of the phishing emails will be led to a fake Facebook support page. The page prompts individuals to input their details, where they may unwittingly provide their credentials to cybercriminals,” researchers said. “Text on the page suggests that the credential details are critical in having the account “reviewed”, rather than disabled.”

This is an image of facebook phishing checkpoint ss2
A second sample of the phishing email. Notice the urgent language that the scammers use to coerce the victim into taking action without thinking much. | Source: Check Point

This could have severe ramifications for companies that depend on social media platforms like Facebook, and it can affect their advertising, customer engagement, and business. If cybercriminals get hold of the Facebook account, they might seize the victim’s business page and can easily alter, modify, or delete content.

The consequences for firms in the finance and healthcare sectors may be more severe due to strict regulatory oversight. These businesses will likely lose their customer base and face penalties from the authorities.

Researchers have urged organisations to adopt proactive measures, including setting up alerts, educating employees, informing customers, and developing an incident response plan.

In the News: AT&T will now tell you why a business is calling

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of cyber security hacked breach

Raymond reports cybersecurity incident impacting IT assets

Photo: michael vi / shutterstock. Com

Three ex-employees allege L-1A visa fraud at TCS in US

This is an image of spyware malware cybersecurity privacy featured 31

Threat actors deploy FrigidStealer on Macs via web inject attacks

This is an image of crypto farm

XMRig cryptominer distributed via trojanised game torrents

Photo: sundry photography / shutterstock. Com

Over 100 AWS keys found on public GitHub repositories

This is an image of scam call featured 1

Noida-based call center operation dupes victims of $1.4 million

>