If you manage Facebook ads for a small or medium-sized business, be cautious about emails claiming to be from Meta. A phishing campaign has emerged that uses the legitimate @facebookmail.com domain to send fake invites. This tactic makes the emails hard to distinguish from real ones, evading both automated filters and human scrutiny. Researchers at Check Point discovered that around 40,000 phishing emails targeted about 5,000 businesses worldwide, affecting regions like the U.S., Europe, Canada, and Australia. The attackers created fake business pages and mimicked official branding to make their messages look authentic. They used common email subjects such as "Account Verification Required" and "Meta Agency Partner Invitation" to entice clicks. Each email contained links to credential harvesting pages hosted on domains like vercel.app. The campaign appears to have been a mass send rather than a targeted attack, with one company receiving over 4,200 phishing messages, while others generally got fewer than 300. To protect against these threats, businesses should enable multi-factor authentication for their Business Suite accounts and verify any invitations through official Meta support channels. Treat unexpected emails from @facebookmail.com with skepticism until you confirm their legitimacy through your account settings or Meta support.