Recognizing a phishing message from an illegitimate sender is commendable; recognizing one sent through legitimate company channels is near-impossible for many users. As digital services harden their defenses against traditional email spoofing, scammers have started luring victims through legitimate messaging systems, hijacking those of financial institutions, online shops, social media platforms, and payment processors.
When users receive communication through seemingly secure means – from brands they trust, such as Meta, PayPal, and Poshmark – their risk of falling for a scam rockets up, even as the chance of automated detection plummets.
Key Takeaways:
- Scammers are weaponizing finance, social media, and e-commerce communication infrastructure: using official notification systems on trusted platforms to disguise phishing attempts via in-app messages and invitations.
- “Verification needed" and "account restricted" prompts can trick victims into sharing personal and financial information.
- High-urgency lures aid the scam by directing victims toward spoofed support phone numbers and websites.
Hijacking Meta’s Business Suite
Anyone managing marketing across Facebook and Instagram will be familiar with Meta Business Suite. Invitation emails from that service are an official mechanism to grant access to a business portfolio. However, scammers are exploiting the system by setting up Business Suite accounts named Meta Agency Partner Program, then sending phishing messages that look like an official invitation email from the legitimate @facebookmail[.]com domain.
These convincing emails prompt recipients to click a link to a "business portfolio," which leads to an inauthentic website. At least one such site mimics Meta’s branding and prompts visitors to submit basic registration information through an inauthentic partnership form. The majority of those fraudulent websites, such as id48.partner-agency-network[.]com, broadcast terms like “agency,” “partner,” and “support” to increase their perceived legitimacy.
Fraud Via PayPal "Penny Payment"
We’ve also tracked a sophisticated tactic involving PayPal that begins with scammers sending a legitimate $0.01 payment to a target, which triggers an official transaction notification from service@paypal.com. By using a real transaction to prompt the email, the scam bypasses traditional email spam detection filters.
In the "Note" field of that email, the scammers claim that a much larger payment – often $499.99 – “has been successfully received,” suggesting that the email recipient’s PayPal account has made an unauthorized transfer. They provide a fake "PayPal Billing Team" phone number to engage the target. We identified several of these fake numbers, featuring 8-- area codes, specifically set up to route victims directly to scammers.
Calls to the provided number are answered by the scammers, who claim the PayPal account was "hacked." They attempt to guide the victim to a spoofed website, to harvest credentials or conduct fraudulent transfers.
A Reddit user posted this screenshot of a phishing email, sent from a legitimate PayPal account but including a fraudulent claim and prompting action to reverse an alleged inauthentic charge.
Poshmark Multichannel Verification Scam
Earlier this year, we observed scammers impersonating Poshmark, the fashion resale platform, typically initiating the scam by sending an in-app message (seemingly from a Poshmark administrator) containing a link to “verify” them before a sale. Because Poshmark sends email notifications about in-app messages, the victim receives a legitimate email alert also containing the fraudulent link.
This link leads potential victims to a typosquatted page, such as poshmarkb[.]com, which mimics Poshmark’s branding and claims the user's account is restricted. Victims have reported that the scammers use these pages to request highly sensitive data, including social security numbers and debit card information. One user reported losing $1,499 after engaging with the scam.
Why Infrastructure Weaponization Matters
Scammers’ increasing use of legitimate infrastructure represents a significant challenge for trust-and-safety and fraud-prevention teams. When the "sender" is the service or platform itself, communications to potential victims appear authentic, and automated email filtering based on problematic domains becomes ineffective. Organizations must recognize how fraudsters can co-opt their own notification workflows to target their user base. The goal is to protect not only those users, but their trust in a brand.
As scammers continue to refine this tactic, the reputational risk to social media platforms, e-commerce sites, financial institutions, and payment processors grows. We’ll continue to monitor this cross-platform trend to identify new variations of infrastructure-based fraud.
To see how Graphika’s platform tracks emerging fraud narratives and identifies spoofed infrastructure in real time, request a demo.