A sprawling and elaborate investment fraud campaign exploiting paid ads on Meta's Facebook tried to entrap users with a fake bank scandal featuring the Commonwealth Bank, security vendor Bitdefender said.

Fabricated news stories across 25 countries ran as paid ads between February 9 and March 5 this year on Facebook, in at least 15 languages.

Bitdefender analysed 310 such malvertising campaigns, sighting over 26,000 ads, which sought to lure Facebook users towards investment deposit fraud funnels.

The Australian campaigns impersonate CBA and several journalists in a fabricated televised grilling.

Bitdefender's researchers said Australia was targeted with around 12 campaigns that the security vendor documented during the analysis period.

CBA was one of several well-known large global banks impersonated in the campaign.

The criminals used advanced moderation evasion techniques such as previews pointing to legitimate, allowlisted domains for real news brands such as BBC as well as Google.

Fake media domain farms were also used, Bitdefender said, and Cyrillic homoglyph substitution of letters to bypass filtering.

Once users had been lured by the authentic looking ads with fake bank scandals, celebrity wills, national investment platforms and other topics with emotional hooks, they were redirected to scam destinations.

There, users were asked to register their name, phone, email address and other details, which is when the classic investment scam boiler room strategy kicked off.

Bitdefender said a bogus broker might call, to encourage victims to deposit a minimum amount of money for investment.

Fake dashboards showing made-up early "profits" were used by the criminals, who pressured victims into increasing the deposits which then became difficult or impossible to withdraw once made.

The security vendor suspects a Russian-speaking cyber criminal affiliate network is behind the campaign, with the operators also featuring Ukrainian nationals, based on the Cyrillic text used.

Bitdefender suggested users shouldn't trust news "ads" running on social media, and instead go to the actual media site in question.

In particular, the security vendor warned users never to deposit money if a "news article" asks for it.

Screenshot of the Facebook investment scam ad featuring a fake interview with CBA's Matt Comyn. Source: Bitdefender

Meta launches anti-scam tools

Separately, Facebook's parent company Meta said it had introduced new tools to protect people from scams.

They include Facebook alerts for suspicious friend requests, WhatsApp device linking warnings, and advanced scam detection for its Messenger communications app.

Meta also said it had partnered with the Australian Federal Police, the New Zealand Police, the Federal Bureau of Investigation and other law enforcement agencies, in a Royal Thai Police Anti Cyber Scam Centre operation named Joint Disruption Week.

This operation saw 21 people arrested by the Thai Police, and more than 150,000 accounts linked to scam centre networks being disabled.

Meta claims that last year, it removed over 159 million scam ads, the vast majority or 92 percent before anyone reported them.

Some 10.9 million Facebook and Instagram accounts associated with criminal scam centres were also taken down last year, Meta said.

In November last year, Reuters sighted documents that suggested Meta would earn around 10 percent of its overall annaul revenue in 2024 from running advertising scams, bringing in just under $25 billion.