SOCIAL MEDIA SECURITY

Facebook Meta Business Manager Phishing Scam (2026)

The scariest version of this attack sends you a real, cryptographically signed email from Meta. It passes every spam filter because it genuinely came from facebookmail.com. The phishing lives inside the request itself, not in a fake sender.

SB

SafeBrowz Team Security ResearchJune 7, 202610 min read

Why this is spreading now

In April 2026, security researchers tracked a coordinated campaign that pushed roughly 40,000 messages to more than 5,000 organizations across the United States, Europe, Canada, and Australia. The operators were not spoofing Meta. They were making Meta send the emails for them. Check Point has separately documented a Meta Business Suite campaign aimed squarely at small and mid-sized businesses, and Prophet Security, alphaMountain, and CyberHUB-AM have all written up the specific partner-request abuse described below.

This is the same class of attack as the Dropbox shared-file phishing and DocuSign envelope lures. In each case the attacker rides legitimate infrastructure. The notification is real. The platform is real. The malicious payload is the content the platform was tricked into delivering. That is what makes it so effective: every instinct you have been taught about "check the sender" works against you.

How the partner-request trick actually works

Meta Business Manager lets one business invite another to manage its assets, the way an ad agency partners with a brand. That invitation is the weapon. Step by step:

1. The attacker creates a throwaway business and Page. Instead of a normal name, they set the Page name to a long block of phishing text, something like "Meta Security: your page has violated our Community Standards and will be disabled in 24 hours. Verify now at the link below or call 1-888-XXX-XXXX to appeal."
2. They send your business a partner request. Inside Business Manager they request to "partner with" your business, or ask for a role on your Page or ad account.
3. Meta sends you the email. Meta's automated system generates a genuine notification: "[Attacker Page name] wants to partner with your business." Because the attacker's Page name is the phishing message, the body of a real Meta email now contains the threat and the link.
4. The email passes every filter. It is sent from facebookmail.com, Meta's real notification domain, so SPF, DKIM, and DMARC all pass. Your mail client may show a green authentication check. Spam filters wave it through because it is, by every technical measure, legitimate Meta mail.
5. You react. You either click the link in the page name and land on a fake appeal page that harvests your login, or you accept the partner request thinking it is a real Meta process, which hands the attacker a foothold in your business directly.

Read that last point twice. There are two separate ways in. One is a classic credential page. The other needs no fake site at all, because accepting the request itself grants access.

Why "check the sender domain" fails here

The standard advice for email phishing is to expand the display name and read the address after the @. On almost every other scam that works. Here it does not, because the sender is correct. facebookmail.com is the genuine Meta notification domain. Real Business Manager invites, comment notifications, and security alerts all arrive from it. So when this email lands from facebookmail.com, your verification step confirms exactly what the attacker wants confirmed: yes, this is really from Meta.

The deception has moved one layer up. The email is authentic; the request it carries is hostile. Authentication tells you who sent the message, never whether the message is safe. A signed, DMARC-passing email from a real platform can still deliver an attacker's words verbatim if the platform lets users name things freely. That is the entire trick. For the deeper version of this idea, see our guide on how to tell if an email is really from a brand.

The related lures targeting business owners

The partner-request trick is the headline, but the same operators run a family of Meta Business lures. They all push the same panic button: your livelihood is about to be cut off. The links in these emails go to lookalike domains, not to Meta:

• Page policy violation. "Your Page violated our Community Standards." A button to "appeal" leads to a fake login at facebook-business-support.com.
• Copyright or trademark complaint. "Someone reported your content for copyright infringement." The "respond within 24 hours" link points to facebook-appeal-center.com.
• Account suspended or restricted. "Your account will be permanently disabled." The "confirm your identity" page sits at facebook-policy-verify.com.
• Meta Business Suite security alert. Aimed at small businesses that live inside Business Suite all day. A fake "unusual login" warning nudges you to re-enter your password on a cloned screen.

The three example domains above are illustrative lookalikes. They are styled red so you can test them in the checker. Compare them with the real Meta surfaces, which are styled green and never need you to "verify" through an emailed link: facebook.com, business.facebook.com, and meta.com. The notification sender, again, is the real facebookmail.com, which is exactly why this whole attack works.

What happens once they are in

This is not a low-stakes account. A business that accepts a malicious partner, or hands over a login on a fake appeal page, can lose far more than a Facebook profile. Once an attacker has access they can:

• Run ads on your ad account against your credit line. Your card or business credit funds their campaigns. Researchers have seen this account budget burned on crypto scams, sketchy dropshipping, and disinformation, often thousands of dollars before you notice.
• Post on your Page. Your followers see scam offers and malicious links coming from a name they trust, which spreads the attack and damages your reputation at the same time.
• Exfiltrate your custom and lookalike audiences. The marketing assets you spent years building can be copied out and reused or sold.
• Escalate to admin and lock you out. A partner with the right role can add themselves as a Business admin, remove you, and take the Page over completely.
• Get your personal account permanently disabled. Their policy-violating ads and posts can trigger Meta enforcement against the very account that owns the assets, which can mean a permanent ban even though you were the victim.

That last outcome is the cruelest part. The fraud runs on your account, Meta's automated enforcement flags your account, and you can be banned for what the attacker did.

Red flags in a Meta business email

• An unexpected partner request from a business you have never heard of.
• The partner business or Page name is a long block of warning text instead of a normal name.
• A 24-hour or "final notice" countdown. Real Meta processes do not put a ticking clock inside a partner request.
• A phone number to "call and appeal." Meta does not put support phone numbers inside partner requests or policy emails. This is a tell for a callback scam.
• A link to a domain that is not facebook.com, business.facebook.com, or meta.com. Hover before you click. Anything hyphenated like facebook-business-support or facebook-appeal-center is hostile.
• Pressure to accept a request or re-enter your password to "keep your page active."

What to do

The single most important rule: never act on an unexpected partner request, no matter how real the email looks. The malicious instructions live in the Page name, not in any genuine Meta message. Then:

1. Do not click the link in the email. Do not call any number it contains. Do not accept the request from the email.
2. Verify only inside Business Settings. Open a fresh browser tab and type business.facebook.com yourself. Go to Business Settings. Any genuine action your business needs to take will be visible there, never only in an email.
3. Reject unknown partner requests. In Business Settings under Requests, decline anything from a business you do not recognize. Rejecting a request does nothing harmful; accepting one is the whole risk.
4. Audit Partners, People, and Admins. In Business Settings, review Partners and People. Remove any partner, person, or admin you did not add. Check your ad account access list too.
5. Turn on two-factor authentication for every admin, and require it across the Business. Prefer an authenticator app or hardware key over SMS.
6. Remember Meta's own norms. Real Meta never puts "call this number" or a 24-hour threat inside a partner request. If you see either, it is an attack.

If you already accepted or entered your password

Move fast; ad-account abuse can start within minutes.

1. Change your Facebook password immediately from a device you trust, and change it anywhere you reused it.
2. Go to facebook.com/hacked and follow the account-recovery flow if you have lost access or see activity you did not perform.
3. Remove the unknown partner and any new admins in Business Settings, and revoke their access to every ad account, Page, and Pixel.
4. Pause your ad accounts and check billing for campaigns you did not create. Report fraudulent charges to Meta and to your card issuer.
5. Use the Meta Business Help Center to report the compromise and request a review if your account was disabled because of the attacker's activity.
6. Enable two-factor authentication on every admin account before you do anything else.

How to report it

Report the phishing from inside Facebook using the report option on the message or Page. In the United States, file with the FTC at reportfraud.ftc.gov and, for financial loss, with the FBI Internet Crime Complaint Center at ic3.gov. Reporting helps takedowns move faster and feeds the threat-intelligence feeds that block these domains for everyone else.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection engine: Local + APIs + AI. It cannot read your inbox or your Business Manager, so it will not see the partner request itself. It activates the moment you click an "appeal" or "verify" link and a phishing page tries to load, which is the point where this attack does its damage.

• Layer 1 - Local detection: 60+ URL patterns plus a 550+ brand signature database (including Cyrillic and Punycode homograph variants) and a community whitelist/blacklist, all running inside the extension before the page renders. It flags facebook-business-support, facebook-appeal-center, facebook-policy-verify, and similar lookalikes instantly, while leaving the real facebook.com, business.facebook.com, and facebookmail.com alone.
• Layer 2 - API checks: aggregates threat-intelligence feeds (Google Safe Browsing, PhishTank, URLhaus) plus 30+ scam-TLD heuristics for domains already known to be malicious.
• Layer 3 - AI deep scan (Premium): content analysis in 100+ languages catches novel fake-appeal pages in seconds, including freshly registered domains that no blocklist has seen yet.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions

Can a Meta email be real and still be a scam?

Yes. This attack relies on it. Scammers set a dummy Page name to phishing text and send your business a partner request. Meta's own system then emails that text to you from facebookmail.com, its genuine notification domain, so it passes SPF, DKIM, and DMARC. The email is authentically from Meta; the request it carries is the attack. Authentication confirms who sent a message, never whether the message is safe.

Is facebookmail.com a real Meta domain?

Yes. facebookmail.com is the legitimate domain Meta uses to send notifications, including partner requests, comment alerts, and security messages. That is precisely why this scam works: checking the sender confirms it is really Meta. The danger is in the content of the request, not the sender. Treat any unexpected partner request as suspicious even though the email is genuine.

What should I do with an unexpected Business Manager partner request?

Do not accept it and do not click any link inside it. Open a fresh browser tab, type business.facebook.com yourself, and go to Business Settings. Reject the request there if it is from a business you do not recognize. Rejecting is harmless; accepting is the entire risk, because acceptance grants the attacker access to your assets.

What can attackers do if they get into my Business Manager?

They can run ads on your ad account against your credit line (often for crypto scams, dropshipping, or disinformation), post on your Page, exfiltrate your custom and lookalike audiences, escalate to Business admin and lock you out, and trigger Meta enforcement that can get your personal account permanently disabled for activity you never did.

Does Meta put phone numbers or 24-hour deadlines in partner requests?

No. Real Meta partner requests and policy emails never include a "call this number to appeal" line or a countdown threatening that your page will be disabled in 24 hours. Both are reliable signs of a scam. Genuine actions appear inside Business Settings when you sign in directly, not as urgent emailed demands.

How do I recover a Facebook business account that was taken over?

Change your password from a trusted device, go to facebook.com/hacked to start recovery, and remove any unknown partner or admin in Business Settings while revoking their access to your ad accounts and Pages. Pause your ad accounts, check billing for fraudulent charges, use the Meta Business Help Center to report it, and enable two-factor authentication. Report the fraud at reportfraud.ftc.gov and, for financial loss, at ic3.gov.