Fake Meta Business Suite OAuth Phishing
Fraudsters send fake Meta Business Suite notifications to page managers and advertisers, directing them to a phishing OAuth flow that steals their Facebook business account access.
Part of: Social Login & OAuth Phishing
Last reviewed: 7 June 2026
Meta Business Suite (formerly Facebook Business Manager) is the control centre for Facebook and Instagram advertising, page management, and creator monetisation. A compromised Business Suite account can allow attackers to run fraudulent ads charged to the victim's payment method, access audience data, or completely remove the legitimate owner's access to their pages.
Business managers and page administrators receive legitimate notifications from Meta Business Suite regularly — billing alerts, ad performance summaries, policy warnings. This routine makes them accustomed to acting on Business Suite emails, and it is this habit that attackers exploit.
The potential financial damage from a hijacked Business Suite account is substantial: fraudulent ad spend can run into thousands of pounds or dollars before the victim realises access has been lost.
How this scam works on the Meta/Facebook brand
Legitimate Meta Business Suite notifications come from @facebookmail.com or @metamail.com addresses and direct administrators to business.facebook.com to take action. Changes to business accounts require authentication through the user's existing Facebook session — not a fresh sign-in on an external page.
Fake Business Suite alerts mimic Meta's administrative email template, often referencing the victim's real business page name — obtained from the public Facebook page — to add personalisation. The message warns of a policy violation, ad account suspension, or identity verification requirement. An 'Appeal' or 'Verify Now' button links to a page mimicking Facebook's login interface.
Some sophisticated versions use a fake OAuth consent screen styled after Facebook's login flow, requesting the victim to 'grant access' to their business page for 'Meta Policy Compliance'. Granting this fake OAuth permission gives attackers a persistent access token without requiring the victim to hand over their password.
Common red flags
- Business Suite alert email sender is not from @facebookmail.com or @metamail.com
- The action link leads to a domain other than business.facebook.com or facebook.com
- An OAuth permission screen asks you to 'grant access' to your business page from an email link
- The alert threatens ad account permanent suspension within hours
- You are asked to re-enter your Facebook password on a page reached via email
- The email references your business page name but comes from a generic address
How to protect yourself
- Access Meta Business Suite only at business.facebook.com — never via links in emails
- Enable two-factor authentication for all admin accounts in Meta Business Suite
- Regularly review the people and partners with access to your business account at business.facebook.com/settings/people
- Set up email alerts for ad spend thresholds in Meta Business Suite to detect unauthorised campaigns quickly
- Revoke access for any unrecognised apps at facebook.com/settings?tab=applications
How to report it
- Report phishing targeting your Business Suite to [email protected]
- Report to Meta through the Business Help Center at web.facebook.com/business/help
- File a report with the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- If fraudulent ads were run on your account, contact Meta Ads Support immediately to dispute the charges
Frequently asked questions
What can an attacker do with access to my Meta Business Suite?
They can run ad campaigns charged to your payment method, access your customer audience data, modify or unpublish your Facebook pages, lock out legitimate administrators, and use your business identity to run scam campaigns targeting your followers.
Does Meta Business Suite ever email warnings about ad policy violations?
Yes, Meta does send genuine policy violation emails from @facebookmail.com or @metamail.com. The key checks are: does the sender match those exact domains? Does the link lead to business.facebook.com? When in doubt, open Business Suite directly at business.facebook.com.
How can I tell if someone has already accessed my Business Suite without permission?
Log in to business.facebook.com, go to Settings > People, and review who has access. Check Settings > Security > Recent Logins and Security > Active Sessions. In Ads Manager, review the ad account activity log for any campaigns you did not create.