Fake Blue Tick Scam Targets Facebook Users, Thousands Of Accounts Compromised

A growing phishing campaign is exploiting the demand for verified badges on social media, with Facebook users emerging as a key target. Security researchers have warned that thousands of accounts have already been compromised through scams that promise a free blue tick, tapping into the aspiration many users have to gain credibility and visibility online.

The campaign, identified by Guard.io, is believed to have affected more than 30,000 accounts so far. Researchers say the attackers are likely linked to a Vietnam based group known for hijacking social media profiles and reselling them later, often targeting accounts with business or financial value such as creators, influencers and brand pages.

Also Read: Amsterdam Becomes First Capital to Ban Public Ads for Meat and Fossil Fuels

Scam Mimics Trusted Platforms:

What makes this scam particularly effective is how convincingly it mimics legitimate communication. Instead of using suspicious domains, attackers are exploiting trusted systems like Google AppSheet. By misusing its notification feature, they are able to send phishing emails that appear authentic, increasing the chances of users engaging with them.

The tactics used vary but follow familiar pressure points. Some emails warn users that their accounts may be deactivated due to alleged policy violations or copyright issues. Others take a more tempting route, offering a verified badge for free without requiring a Meta subscription. In both cases, the goal is to push users into clicking malicious links.

Once clicked, users are taken through what looks like a legitimate verification flow. This includes CAPTCHA tests and realistic login pages designed to lower suspicion. During this process, victims may unknowingly share their login credentials and even two factor authentication codes, effectively handing over full control of their accounts.

Invisible Tricks Raise Risk:

Researchers also point to more advanced evasion techniques. Attackers are inserting invisible characters into email addresses and subtly altering text so that it bypasses automated security filters while still appearing normal to human readers.

For brands and creators, the stakes are high. A compromised Facebook account can lead to loss of audience trust, financial damage, and misuse of brand identity. For media and marketers, it highlights how platform credibility signals like verification badges can be weaponised. For everyday users, it is a reminder that even familiar looking messages from trusted systems can be deceptive.

The broader concern is cultural as well. As verification becomes tied to status and influence, it creates new opportunities for manipulation. Users are being urged to remain cautious and avoid clicking on suspicious links, especially those that promise quick or free access to features typically controlled by official platforms.