Shawn Freeman
CEO

Picture this: an email lands in your marketing inbox with the subject line "You've received a Business Manager partner request." The branding is perfect. The sender is a real Meta address. It even passes your email security checks, because it genuinely came from Meta's own servers. One click on Approve, and a stranger now has access to your Facebook Page, your ad account, and the payment card attached to it.
This is not a hypothetical. Through late 2025 and into 2026, security researchers have tracked multiple phishing campaigns that abuse legitimate Meta Business Manager features to target businesses, including Canadian ones. Because the emails come from Meta's real infrastructure, they sail past the filters that catch ordinary phishing.
If your business runs Facebook or Instagram ads, this post is for you. We'll walk through how the scam works, why it beats traditional email security, what it costs when it lands, and the practical steps that keep your ad account (and your money) where it belongs.
A Facebook ad account is a strange kind of asset. It's not money, but it spends money. It holds a live payment method, an approved advertising history, and an audience your business spent years building. To an attacker, that combination is more useful than a stolen credit card.
Once inside a compromised Business Manager, criminals typically do one or more of the following:
💡 Think of your Business Manager like the master key cabinet for your storefront. It doesn't hold cash itself, but everything it opens does.
Most phishing relies on a fake sender address or a lookalike domain. The current wave is different, and that's what makes it dangerous. Attackers create their own Meta business accounts, then abuse Meta's real partner-request and notification features to deliver the lure.
In a campaign documented by Huntress in July 2026, attackers used a legitimate Meta service that connects businesses with third-party social media managers. The resulting emails came from a genuine Meta address, so they passed the standard authentication checks (SPF, DKIM, and DMARC) that email security relies on. A related campaign analyzed by LevelBlue's SpiderLabs team in April 2026 sent over 40,000 of these emails to more than 5,000 organizations across the US, Europe, Canada, and Australia.
The trick sits in the account name. Instead of a normal business name, attackers name their fake Business Manager something like "Account Restriction" or "Ad Violations," or they embed a link in the name itself. Meta's notification system then dutifully inserts that scare text or link into an otherwise authentic email.
Click through, and you land on a counterfeit Meta login or help page (often hosted on free platforms to dodge blocklists). The page harvests your email, password, and in the newer variants your two-factor authentication code in real time. Some versions even route you to a chatbot posing as Meta support on Messenger to keep the deception going while your credentials are exfiltrated.
⚠️ A phishing page that asks for your 2FA code isn't blocked by having 2FA enabled. If you type the code into the fake page, the attacker uses it immediately to complete a real login.
An email warns that your ads have been suspended or your Page is about to be disabled for a policy violation, sometimes citing advertising rules or privacy regulations for authenticity. It pressures you to "appeal" through a link before a deadline. Real Meta policy notices exist, but they don't usually come with countdown-timer urgency, and they never require you to log in through an emailed link.
An invitation to join an exclusive Meta agency or partner program, or a Business Manager partner request from something named like "Certified Partner Program" or "Compliance Network." There is no legitimate Meta program that recruits businesses through unsolicited partner requests. If you didn't initiate it, treat it as hostile.
Newer variants push you into a Facebook Messenger conversation with a "support agent" (often a bot with a Meta logo). The agent asks for screenshots of your business account, walks you through a "system check" that captures your password, or offers a "2FA setup guide" that hands control of your authentication to the attacker.
Here's the part that surprises most business owners. Some of these attacks don't steal credentials at all. A genuine Business Manager partner request, sent by an attacker's account, simply asks you to click Approve. Do that, and you've granted their Business Manager persistent access to whatever assets you authorize: Pages, ad accounts, pixels, and audiences.
No password stolen. No 2FA bypassed. Nothing for your email filter or antivirus to catch. The entire compromise happens inside Meta's own permissions system, using a feature working exactly as designed. That also makes it harder to detect after the fact, because there's no malware and no suspicious login, just a partner you never should have approved.
🚨 Never approve a Business Manager partner request you did not explicitly initiate or expect. One click can expose every Page and ad account you manage.
This risk multiplies for anyone managing multiple accounts. A marketing coordinator or agency employee with access to a dozen client Business Managers can expose all of them with a single approval.
Because the sender address alone can't be trusted anymore, you need to judge these emails on behaviour, not branding. Here's how the real thing compares to the scam:
✅ The single most reliable habit: never act on an email link. Open a browser, type business.facebook.com yourself, and check for the alert or request there. If it doesn't exist inside the platform, the email was the attack.
Good news: the defences here are mostly process, not products. A few habits close off nearly all of these attacks.
📋 Make it a standing team rule: all Meta account issues get verified by logging in directly, and all partner requests get confirmed by phone with the requesting party before anyone clicks Approve.
Speed matters more than embarrassment. If you or someone on your team entered credentials or approved a suspicious request, work through this sequence right away:
If customer data may have been exposed (for example, exported audience lists containing personal information), talk to your IT provider about your obligations under PIPEDA, Canada's federal privacy law, which can require notifying affected individuals after a breach.
Attackers abuse legitimate Meta features, like partner requests and business notifications, that send email on Meta's behalf. The message is generated by Meta's own systems, so it passes authentication checks. The malicious part is the content the attacker controls, such as the account name or an embedded link. Meta has added guardrails against specific campaigns as researchers report them, but the underlying tactic keeps evolving.
Safer, but not immune. Modern phishing pages capture your 2FA code the moment you type it and use it in real time to log in. And the partner-request version of the attack needs no credentials at all. 2FA is still essential; it just isn't a substitute for verifying requests inside the platform.
Meta's genuine notifications come from a small set of domains such as facebookmail.com and business.facebook.com. The catch is that this campaign uses those real domains too. Sender checks still filter out lazier scams, but for anything involving your Business Manager, verify inside the platform rather than trusting the sender line.
It raises the stakes. Agencies receive legitimate partner requests all the time, which is exactly the reflex these scams exploit, and one compromised agency login can expose every client they manage. Ask your agency how they verify partner requests and who on their team holds admin access to your assets.
No. The same Business Manager typically controls Instagram advertising, and similar account-takeover phishing targets Google Ads, LinkedIn, and TikTok business accounts. The habits in this post (verify in-platform, least-privilege access, guarded approvals) protect all of them.
Not sure who has the keys to your ad accounts? Always Beyond can train your team to spot these lures before anyone clicks Approve. And if you don't already have a partner managing your Meta presence, our partners at Catch Digital can help you keep it in good hands. Reach out to start the conversation.
See exactly how your current IT setup measures up to our Hack Free standards. Enter your business email to receive: