How to Defend Against Google AppSheet Phishing Attacks Targeting Facebook Accounts

<h2>Introduction</h2><p>In a recent cyber campaign, threat actors leveraged Google AppSheet—a legitimate no-code app builder—as a <strong>phishing relay</strong> to steal over 30,000 Facebook accounts. Dubbed <em>AccountDumpling</em> by security firm Guardio, this Vietnamese-linked operation tricked users into handing over their credentials, which were then resold on an illicit storefront. Understanding how such attacks work—and how to avoid them—is essential for anyone with a Facebook account. This guide provides clear, actionable steps to recognize and thwart similar phishing attempts.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilUS_xmTpvaJtwhFTnxsBtKSx2hWroMJKWUCKeB_CNx_9-5T85bdpqGfTZ0__XITi-i6ZnndaiiiFggf3Cgf-35KK-G6sEwvnlqom2DK6U-oH_o9GhEGNyd9kiSti-QC_dpl3v7b7IniC9kAUzV265yVbVsWAnLnH1RfQxrftUHj5MFAm03MOBw3Z6UEVb/s1600/phish.jpg" alt="How to Defend Against Google AppSheet Phishing Attacks Targeting Facebook Accounts" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><h2>What You Need</h2><ul><li>A Facebook account (active or dormant)</li><li>Basic familiarity with email and web browsers</li><li>A device with internet access</li><li>Willingness to review account security settings</li><li>Access to multi-factor authentication (MFA) tools</li></ul><h2>Step-by-Step Guide to Protect Yourself</h2><h3>Step 1: Understand the Attack Pattern</h3><p>The attack uses <strong>Google AppSheet</strong> to host phishing pages that mimic Facebook login screens. Victims receive an email that appears to be from a trusted source (e.g., Facebook security, a friend, or a service notification) but actually contains a link to the AppSheet-hosted page. Once you enter your credentials, they are captured and sold.</p><p>Key red flags:</p><ul><li>The email domain looks unusual (e.g., <code>appsheets.googleusercontent.com</code>)</li><li>The message creates urgency: “Your account will be suspended” or “Security alert detected”</li><li>The link preview shows a long, generic URL ending in <code>appsheet</code> or similar</li></ul><h3>Step 2: Inspect the Sender and Subject Line</h3><p>Before clicking anything, check the sender’s full email address. Attackers often spoof a display name while using a non-official domain. In the AccountDumpling campaign, messages came from addresses that included <code>@appsheet.com</code> or <code>@google.com</code> but with slight misspellings.</p><p><strong>Do this:</strong></p><ul><li>Hover over the sender name to reveal the true email address</li><li>Look for generic salutations like “Dear User” instead of your name</li><li>Check for poor grammar or odd phrasing (e.g., “We have notice unusual activity”)</li></ul><h3>Step 3: Verify the Link Destination</h3><p>Never click a link directly. Instead, hover your mouse over it (or long-press on mobile) to see the full URL. Legitimate Facebook links start with <code>https://www.facebook.com/</code> or <code>https://facebook.com/</code>. Phishing URLs in this attack often contain:</p><ul><li><code>appsheet</code> in the hostname</li><li>Additional subdomains like <code>secure.facebook.appsheet.com</code></li><li>Random alphanumeric strings</li></ul><p>If the URL seems off, <strong>do not click</strong>. Instead, type <code>facebook.com</code> directly into your browser.</p><h3>Step 4: Enable Multi-Factor Authentication (MFA)</h3><p>MFA adds a second layer of security. Even if someone steals your password, they cannot log in without the second factor (e.g., a code from an authenticator app or SMS).</p><ol><li>Go to <strong>Settings & Privacy</strong> &gt; <strong>Security and Login</strong> on Facebook</li><li>Under “Two-Factor Authentication,” click <strong>Edit</strong> and select your preferred method</li><li>Follow the prompts to link an authenticator app (like Google Authenticator or Authy) or register a phone number</li></ol><p><strong>Important:</strong> Do not use SMS as your only method if possible—SIM swapping attacks are common. An authenticator app is far more secure.</p><h3>Step 5: Review and Revoke Unauthorized App Access</h3><p>Attackers sometimes use the stolen credentials to grant access to malicious third-party apps. Check what apps are connected to your Facebook account:</p><ol><li>Go to <strong>Settings & Privacy</strong> &gt; <strong>Settings</strong> &gt; <strong>Apps and Websites</strong></li><li>Review the list. Remove any app you don’t recognize, especially ones with suspicious names or no icon</li><li>Click <strong>Remove</strong> and confirm</li></ol><p>Also check <strong>Business Integrations</strong> for any unknown connections.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyqUz0-ifa8jE9rCzud3wzxmhcuzTp1VOWFEvGMoZXDYfaB_4459fPyvyQw7wvAnzjzDL09PkyJM83QGheO69fC3esg1WA7WnJ89i_t_q3K8DxYmgV__QujU8RWRnCK4MpbKqu8nwuMFfLaiRVHy_ov7IZ16hoKI3rIu-5BcISmqXPjlQU7N0sa4lWI-n-/s728-e100/wiz-d.png" alt="How to Defend Against Google AppSheet Phishing Attacks Targeting Facebook Accounts" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><h3>Step 6: Change Your Password Immediately if You Suspect a Breach</h3><p>If you’ve clicked a phishing link or entered your credentials on a suspicious page, act fast:</p><ol><li>Log into Facebook via a trusted device or browser</li><li>Go to <strong>Settings &gt; Security and Login &gt; Change password</strong></li><li>Create a strong, unique password (at least 12 characters, mix of uppercase, lowercase, numbers, and symbols)</li><li>If you use the same password elsewhere, change it there too—but avoid reusing passwords</li></ol><p>After changing, also log out of all active sessions from the Security page to force attackers out.</p><h3>Step 7: Report the Phishing Attempt</h3><p>Help others avoid the same trap. Report the email and the phishing page:</p><ul><li>Forward the email to Facebook at <strong>phishing@facebook.com</strong> or use the built-in report function</li><li>If you clicked the link, submit the URL to Google Safe Browsing: <a href='https://safebrowsing.google.com/safebrowsing/report_phish/'>https://safebrowsing.google.com/safebrowsing/report_phish/</a></li><li>Alert your IT department if you received the email at a work address</li></ul><h3>Step 8: Monitor Your Account for Unusual Activity</h3><p>Even after taking steps, keep an eye out for signs of compromise:</p><ul><li>Unrecognized posts, messages, or friend requests</li><li>Profile picture or name changes</li><li>Login alerts from unknown devices (you can view them in <strong>Security and Login</strong> under “Where you’re logged in”)</li></ul><p>If you see anything suspicious, repeat the password change and MFA setup immediately.</p><h2>Tips for Staying Safe</h2><p><strong>1. Always verify before clicking.</strong> Legitimate companies will never ask for your password via email. When in doubt, contact the company directly using official channels.</p><p><strong>2. Use a password manager.</strong> It generates and stores strong, unique passwords for each site, reducing the impact of a single stolen credential.</p><p><strong>3. Keep software updated.</strong> Browser and operating system updates often include security patches against phishing and malware.</p><p><strong>4. Educate family and colleagues.</strong> The AccountDumpling campaign targeted many users. Sharing this guide can prevent a widespread compromise.</p><p><strong>5. Enable login alerts.</strong> Facebook can notify you via email or app notification each time someone logs in from a new device. Find this under <strong>Security and Login &gt; Get alerts about unrecognized logins</strong>.</p><p>By following these steps, you can significantly reduce your risk of falling victim to sophisticated phishing attacks like those using Google AppSheet. Stay vigilant, stay safe, and always think before you click.</p>