Meta Platforms, Inc. (Facebook/Instagram) Phishing Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 18, 2026

Severity: HIGH | View Full Scam Details

Beware in 2026: Meta Platforms Inc. (Facebook/Instagram) Phishing Scam Sweeping India

In 2026, Indian internet users face a serious phishing scam targeting Facebook and Instagram accounts, risking personal data and financial loss.

What Is the Meta Platforms, Inc. (Facebook/Instagram) Phishing Scam?

This phishing scam targets users of Meta’s popular platforms — Facebook and Instagram — by stealing their login credentials through deceptive messages. Fraudsters impersonate Meta or related support teams, sending fake alerts that urge users to verify or secure their accounts. The ultimate goal is to hijack accounts and exploit personal information or even siphon money through linked services like UPI wallets.

In India, where Facebook and Instagram combined have over 400 million users, this scam has seen a rise since early 2025. Cybercrime units like CERT-In and the Indian government’s I4C (Indian Cyber Crime Coordination Centre) have issued warnings as attackers increasingly use phishing pages designed to look identical to Meta’s login portal. Victims range from everyday social media users to influencers and small businesses who depend on these platforms for marketing.

Both RBI and CERT-In have highlighted phishing as a major cyber threat impacting online payments linked to social media accounts, especially when UPI or credit cards are added for ads and promotions.

How This Scam Works — Step by Step

1. Fake Warning Message: The victim receives a direct message on Instagram or Facebook (sometimes via WhatsApp), claiming their account is compromised, suspended, or needs “urgent verification.” The message often comes from a profile mimicking Meta support, with official-looking logos.

2. Phishing Link Sent: The message includes a link supposedly to Meta’s “security check” page. Clicking this takes the victim to a fake website that looks like the official login page.

3. Credential Harvesting: The victim enters their Facebook or Instagram username and password on the fake site. Instantly, these details are captured by the scammers.

4. Account Takeover: Using the stolen credentials, fraudsters log into the victim’s account. They may change the password and email, locking the real owner out.

5. Further Exploitation: The scammers may then request money from the victim’s contacts, often citing emergency reasons. They might also access linked payment methods like UPI or stored card details in ads accounts, initiating unauthorized transactions.

6. Simultaneous SIM Swap or OTP Phishing: To bypass two-factor authentication (2FA), some attackers perform SIM swaps or send OTP phishing messages, gaining full control.

Real Warning Signs to Watch For

• Messages urging immediate action with threats like “Your account will be deleted if you don’t verify now.”
• Links that do not have "facebook.com" or "instagram.com" in the URL; even small spelling changes matter (e.g., faceb00k.com).
• Requests for login credentials or OTPs via message or email.
• Profiles with few followers or newly created accounts pretending to be Meta support.
• Grammatical errors or inconsistent formatting in messages.
• Unexpected messages asking for money or sensitive info from friends or business contacts.
• Promises of rewards or account upgrades in exchange for logging in again.

What Happens to Victims

Victims often lose access to their social media accounts, which is particularly damaging for small businesses and influencers reliant on these platforms for income. Beyond that, personal photos and messages can be misused for blackmail or identity theft.

Financially, if UPI or payment methods linked with the compromised account are accessed, fraudsters can make unauthorized transactions. Since UPI transactions are typically instant and irreversible, victims may find it difficult to recover lost funds. Aadhaar-linked accounts or SIM swaps can worsen the impact by allowing attackers to intercept OTPs, worsening the control loss.

Victims frequently report emotional distress due to privacy invasion, online harassment, and financial loss, often compounded by slow responses from support services.

What RBI and CERT-In Say

RBI regularly advises caution against phishing that targets login and transaction credentials for online payments. Their guidelines stress never sharing OTPs or passwords, and always confirming authenticity before clicking links.

CERT-In, India’s cybersecurity response agency, has issued alerts on phishing via social media platforms. They encourage users to report phishing attempts to the 1930 cybercrime helpline and to stay updated on official advisories.

The Indian Cyber Crime Coordination Centre (I4C) recommends immediate reporting of such incidents on cybercrime.gov.in, and urges telecom providers to quickly act on SIM swap complaints.

How to Protect Yourself

1. Avoid clicking on unsolicited links on Facebook, Instagram, WhatsApp, or email, especially those claiming urgent action.
2. Always verify the URL carefully before entering login details; use official apps or websites only.
3. Enable two-factor authentication (2FA) on your Meta accounts, using authentication apps rather than SMS OTPs.
4. Do not share OTPs or passwords with anyone, even if they claim to be Meta staff.
5. Regularly review connected apps, payment methods, and ad accounts for suspicious activity.
6. Set up alerts with your bank or UPI app to monitor transactions instantly.
7. Report suspicious messages or profiles directly to Facebook/Instagram and to BharatSecure.app for verification.

What to Do If You've Been Targeted

1. Immediately change your Facebook and Instagram passwords using a secure device.
2. Contact your mobile operator to check for unauthorized SIM swaps and block your number if necessary.
3. Report the incident to the 1930 National Cyber Crime helpline and file a complaint on cybercrime.gov.in.
4. Inform your bank and UPI provider about any unauthorized transactions to initiate dispute and possible reversal.
5. Use Meta’s official account recovery process and document all communications.
6. Alert friends and contacts on your accounts to beware of fraudulent messages from your profile.

Frequently Asked Questions

What should I do if I receive a message claiming my Facebook or Instagram account is suspended?
Do not click any links. Verify the claim by logging into the official app or website directly, and check notifications there. Report the suspicious message to Meta and BharatSecure.app.

Can I recover money lost through UPI fraud linked to a compromised social media account?
Recovering funds can be difficult because UPI transactions are designed to be final. Report the fraud immediately to your bank and the National Payments Corporation of India (NPCI). RBI guidelines offer some assistance, but prevention is key.

Is two-factor authentication (2FA) enough to protect my Meta accounts?
2FA significantly improves security, especially when using authentication apps instead of SMS OTPs. However, always be cautious of phishing attempts that try to trick you into revealing OTPs or passwords.

Stay alert in 2026! If you ever get suspicious messages about your Facebook or Instagram accounts, don’t rush. Verify everything at BharatSecure.app to avoid falling prey to the Meta Platforms phishing scam. Protect yourself and your digital identity today.