A Vietnamese-linked phishing crew has hijacked roughly 30,000 Facebook Business accounts by abusing Google AppSheet as a phishing relay, as reported by The Hacker News on 1 May. The emails arrive from noreply@appsheet.com — a real Google domain — claiming to be Meta Support and warning that the recipient’s Facebook page will be deleted unless they appeal. The fake appeal pages, hosted on Netlify and Vercel, harvest passwords, MFA codes, and even photos of government ID. Researchers at Guardio dubbed the operation AccountDumpling.

Australian hospitality operators are squarely in the blast radius. Pubs, hotels, cafes, and venue groups run their bookings, customer comms, and ad spend through Facebook Business and Instagram, and the page is often managed by a marketing assistant or a duty manager — not the owner. That’s exactly the audience this campaign is built for. Losing the page means losing every booking enquiry, every loyalty post, and every ad pixel built up over years. Worse, attackers often run scam ads from the hijacked account before the rightful owner notices, which can trigger Meta sanctions on the business itself.

Three things to do this week. First, brief anyone with admin access to your Facebook or Instagram pages: Meta does not send urgent appeal emails from appsheet.com domains, and it will never ask for ID photos through a third-party form. Second, turn on MFA via an authenticator app (not SMS) for every page admin and remove dormant admin accounts. Third, if you can, move page admin into Meta Business Manager and use named user accounts rather than a shared login. If something does slip through, change the password and revoke active sessions inside Meta Business Manager immediately.

If staff training on this kind of social engineering is overdue at your venue, our team cyber safety training covers exactly these scenarios — including the AppSheet and Vercel-style fake login pages — for hospitality teams across Sydney, Melbourne, Brisbane, and Central West NSW.