Phishing Attacks Using Real Company Notifications

Scammers are finding ways to use real notification emails sent by legitimate companies (like Facebook, Google, or Microsoft) to hide their phishing attacks. By registering fake accounts, business pages, or events on these platforms, they can include their scam website links in places like group names or business portfolio names. The real company then sends out official-looking emails—including the scam link—directly to users. Because these emails come from trusted sources, it’s easy to fall for the scam and click on the malicious link, which usually leads to a fake login page designed to steal your username and password.

I encountered this scam Learn common red flags
Primary example

How this scam works

  1. 1

    Step 1: Scammers create fake profiles, business pages, or events and set their name to a phishing website’s address.

  2. 2

    Step 2: The real company (such as Facebook, Google, Microsoft, etc.) sends out official notifications or invites containing these names and links.

  3. 3

    Step 3: The user receives an authentic-looking email from a known company, with what appears to be a normal group, page, or invite name, but is actually a scam link.

  4. 4

    Step 4: If the user clicks the link, they are sent to a convincing fake login or landing page that requests personal or login information.

  5. 5

    Step 5: Any details entered are stolen by the scammers.

✓ Do this

  • Always check carefully before clicking on links in emails, even if a message comes from a trusted company.
  • Hover your mouse over links to see where they really go.
  • When in doubt, visit the company’s website by typing the address into your browser instead of clicking links.
  • Contact the company directly using their official website if you receive a suspicious notification.

✗ Avoid this

  • Never enter passwords on a website you reached by clicking a suspicious or unfamiliar link—even if the email looks official.
  • Do not trust notifications that reference strange group, page, or business names or website addresses.
  • Avoid logging in through links in emails if you’re not expecting an invitation or message.

Quick tip: Verify independently

Don’t call numbers or click links in unexpected messages. Go directly to the company’s official site or app and contact support from there.

See common red flags