This paper introduces a novel poisoning attack named PoisonFRS, which aims to manipulate federated recommender systems (FedRecs) by using fake users. The attack does not require any additional information beyond the item embeddings obtained from the server, making it more practical and effective compared to existing attacks that often rely on local training data or item popularity. The PoisonFRS attack involves selecting a few popular items, constructing a target model based on these items, and sending crafted model updates to the server to promote the attacker-chosen targeted item to a large fraction of genuine users. Extensive experiments on four real-world datasets demonstrate that PoisonFRS outperforms existing attacks, even under various aggregation rules and defense mechanisms. The results also show that the model updates from both genuine and fake users are indistinguishable in the latent space, making the attack difficult to detect. The key contributions of the paper include the introduction of PoisonFRS, its systematic evaluation, and the demonstration of its effectiveness in promoting the targeted item with a small proportion of fake users.This paper introduces a novel poisoning attack named PoisonFRS, which aims to manipulate federated recommender systems (FedRecs) by using fake users. The attack does not require any additional information beyond the item embeddings obtained from the server, making it more practical and effective compared to existing attacks that often rely on local training data or item popularity. The PoisonFRS attack involves selecting a few popular items, constructing a target model based on these items, and sending crafted model updates to the server to promote the attacker-chosen targeted item to a large fraction of genuine users. Extensive experiments on four real-world datasets demonstrate that PoisonFRS outperforms existing attacks, even under various aggregation rules and defense mechanisms. The results also show that the model updates from both genuine and fake users are indistinguishable in the latent space, making the attack difficult to detect. The key contributions of the paper include the introduction of PoisonFRS, its systematic evaluation, and the demonstration of its effectiveness in promoting the targeted item with a small proportion of fake users.