Thousands of Facebook accounts stolen by phishing emails sent through Google — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 11, 2026

Severity: CRITICAL | View Full Scam Details

2026 Alert: Thousands of Facebook Accounts Stolen by Phishing Emails Sent Through Google — A Growing Threat in India

Phishing scams using Google’s trusted AppSheet have resulted in thousands of Facebook accounts being compromised, putting Indian users at critical risk.

What Is the Thousands of Facebook Accounts Stolen by Phishing Emails Sent Through Google?

This alarming cybercrime scam targets Indian Facebook users by sending phishing emails that appear to come from legitimate sources through Google’s AppSheet platform. Criminals exploit Google’s trusted brand to trick victims into clicking links that steal their login credentials. Once they gain access, these fraudsters can misuse Facebook profiles to conduct further scams, reputation damage, or identity theft.

Targeting active Facebook users in India — including influencers, professionals, and everyday social media users — scammers first collect public information from social media platforms and online forums to personalize their phishing emails. The scam has rapidly spread, with thousands of accounts reported compromised just in the first months of 2026. CERT-In (India’s Computer Emergency Response Team) and the Indian Cybercrime Coordination Centre (I4C) have issued advisories warning internet users to stay vigilant against these sophisticated phishing attempts.

This scam is especially dangerous given the widespread use of Facebook in India for personal, business, and official communication. Compromised Facebook profiles can also lead to misuse of UPI payment links shared on chats or may expose Aadhaar information linked with personal accounts. With the Indian government pushing for enhanced cybersecurity awareness, the incident underscores the urgent need for caution on both social media and email platforms.

How This Scam Works — Step by Step

1. Target Selection: Scammers use public data from Facebook profiles, LinkedIn, and online forums to identify active Facebook users in India who may be more likely to engage with emails.

2. Crafting the Email: Using Google AppSheet, cybercriminals send personalized phishing emails that look official and trustworthy. The emails often mimic notifications from Facebook or Google services, such as verification alerts, password reset requests, or security warnings.

3. Luring the Victim: The email contains a link that appears legitimate but actually redirects victims to a fake Facebook login page controlled by the scammers.

4. Credential Theft: When victims enter their Facebook username and password on the fake site, scammers immediately capture these details.

5. Account Takeover: Attackers use stolen credentials to log into the victim’s Facebook account, locking the real user out by changing the password and recovery email or phone number.

6. Secondary Scam Activities: Using the compromised account, scammers may send phishing messages to the victim’s contacts, spread malware links, or solicit money using fake pleas. In some cases, they attempt SIM swap scams by contacting mobile providers and using Facebook data as proof of identity.

7. Financial Theft and Identity Fraud: If the Facebook account is linked with UPI payment requests or Aadhaar-verified services, criminals can transfer money directly or commit identity fraud.

Real Warning Signs to Watch For

• Emails claiming urgent security alerts or password reset requests that you did not initiate.
• Messages sent via Google AppSheet but with suspicious sender addresses or incorrect spelling and grammar.
• Links in emails that don’t lead to official Facebook or Google domains (check URLs carefully).
• Requests to enter login details on a webpage that looks similar to Facebook but isn’t the official domain.
• Sudden lockout or password reset notifications on your Facebook without your activity.
• Contacts informing you about suspicious messages coming from your Facebook account.
• Unexpected password reset or account recovery emails from Facebook or Google when you haven’t asked for them.

What Happens to Victims

Victims face both financial losses and emotional distress. Fraudulent use of Facebook accounts can lead to losing trust among friends and business contacts after scammers impersonate the victim. Financially, scammers may trick contacts into sending money via UPI or other payment apps linked to Facebook messages or groups.

Identity theft is another grave concern. Using profile data and Aadhaar-linked services, scammers can attempt SIM swaps, capturing phone numbers and SMS-based OTPs, further risking personal bank accounts, Paytm wallets, and other digital wallets. Victims often spend weeks trying to recover their accounts and may feel helpless due to the loss of control over their social identities.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has repeatedly warned about phishing scams related to digital payments and social media fraud, urging users to verify transaction details and avoid sharing OTPs or passwords over any platform. CERT-In, through its advisories, stresses the importance of recognizing phishing attacks and reporting suspicious incidents via its official portal.

I4C, under the Ministry of Home Affairs, runs a 24x7 cybercrime helpline for Indian citizens. They recommend verification of unsolicited messages, use of multi-factor authentication, and immediate reporting of fraud to authorities. The national helpline 1930 supports cybercrime complaint registration and guidance.

How to Protect Yourself

1. Do not click on links or download attachments in emails from unknown or suspicious sources—even if they appear to come through Google services.
2. Always verify the URL before entering login credentials — check for ‘https’ and official domains (e.g., facebook.com).
3. Enable Two-Factor Authentication (2FA) on your Facebook account to add an extra layer of security.
4. Avoid using the same password across multiple online platforms. Use a unique, strong password for Facebook.
5. Be cautious of urgent emails asking for personal or payment information—confirm legitimacy by visiting official websites directly.
6. Regularly update your contact and recovery details on Facebook and associated services.
7. Use your mobile network provider’s security services to protect against SIM swap fraud.

What to Do If You’ve Been Targeted

• Immediately change your Facebook password using a trusted, secure device.
• Enable 2FA if not already active.
• Report the incident to Facebook via their Help Center and flag suspicious activity.
• Contact your mobile service provider to check for unauthorized SIM swap requests.
• File a complaint on the national cybercrime reporting portal at cybercrime.gov.in.
• Call the 24x7 Indian cybercrime helpline at 1930 for assistance.
• Alert your bank and UPI service providers if your Facebook was linked for payment requests.
• Keep detailed records of suspicious emails, messages, and related activity for authorities.

Frequently Asked Questions

Q: Can my Facebook account be recovered once stolen by phishing?
A: Yes, recovery is possible by following Facebook’s account recovery process, which may require submitting identification documents. Prompt action increases chances of regaining control.

Q: How is Google’s AppSheet involved in this phishing scam?
A: Scammers use Google AppSheet to send legitimate-looking emails that mask malicious links. Since AppSheet is trusted, victims are more likely to open and click these emails.

Q: Does enabling two-factor authentication completely prevent such scams?
A: While 2FA greatly improves security, it is not foolproof if attackers employ advanced SIM swap or social engineering attacks. Combined vigilance and caution remain essential.

If you receive suspicious messages claiming to be from Google or Facebook, do not ignore the signs. Always verify before clicking links or sharing personal details. For help in identifying scams and protecting your digital identity, visit BharatSecure.app – your trusted partner in Indian cybersecurity awareness.