The "Facebook podcast" scam is a simple social-engineering play that targets something more valuable than a personal profile: your Meta business assets. The attacker approaches as a podcast host, producer, or media partner, then pressures you into granting access to your Page or business portfolio. Once you approve the wrong thing, they can add themselves as an admin, run ads, change roles, and lock you out.
This is not a technical exploit. It is a permission theft. The defense is verification and role hygiene.
Fast checks before you click anything
| What they ask for | Safe response | Why |
|---|---|---|
| "Add me as admin" or "add our Business Manager" | Do not. Offer a public email contact or a calendar link you control, and verify identity off-platform. | Admin access is enough to take the asset permanently. |
| "Review our podcast page" via a link | Open links only after verifying the sender and the domain. Prefer typing known URLs directly. | These links are often phishing or OAuth-style consent traps. |
| "Fix copyright" or "verify your account" quickly | Treat it as a scam and check your real account notifications directly inside Meta tools. | Urgency is used to bypass verification. |
Do not: grant access to resolve a problem you cannot see inside your real Meta account. If it is real, it will appear in your account surfaces.
How the scam usually plays out
The variations change, but the structure is consistent:
- Approach: a friendly outreach that flatters the target (guest invite, interview request, brand feature).
- Legitimacy props: screenshots, a "producer" email, a cloned media page, or a stolen identity.
- Access request: a request to add a person, partner, or business to your Page or business portfolio "so we can collaborate".
- Lock-in: once access is granted, the attacker creates persistence by adding new admins, linking integrations, and sometimes changing contact details.
- Monetization: ad spend, scam posts to your audience, extortion, or resale of the asset.
Social engineering works because it uses your normal workflow against you. If you want the mental model for these tactics, start with social engineering and why it keeps working.
What attackers do after they get access
Once inside, attackers often move quickly and quietly:
- add themselves (and backup accounts) as admins
- create or attach ad accounts and payment methods
- grant new app/integration access so they can re-enter later
- post scam links from your Page to exploit audience trust
- try to trigger policy violations so Meta disables the asset, making recovery slower
That last move matters. If your Page gets disabled, the recovery path becomes slower and more evidence-driven.
If you clicked, approved, or added someone: containment sequence
1) Secure the recovery channel first
Start with the inbox and phone number that can reset your Meta account. If you skip this step, attackers can re-take access while you are cleaning up roles. If you suspect your primary email was changed, use what to do when your Facebook primary email changes unexpectedly.
2) End sessions and rotate credentials
Change the password and sign out unknown sessions. Then enable two-factor authentication (2FA) if it is not already enabled. If you are getting repeated login prompts, treat it as an active attack, not a nuisance.
3) Review business roles and Page access
Inside your Meta business settings, remove unknown people, unknown partners, and any role grants you did not intend. Labels and menus vary, but the control is always the same: only trusted identities should have admin rights, and editor roles should be minimal.
4) Remove suspicious integrations
Attackers commonly use integrations for persistence. Meta documents how business integrations work and how to manage them:
5) Check ads, billing, and connected payment methods
Look for new campaigns, unusual spending, new payment methods, and billing contacts you do not recognize. Preserve evidence before removing anything that might be needed for a dispute.
Safety note: do not take "support" help over DMs or phone numbers in comments. Recovery scams spike immediately after business takeovers.
Recovery when you cannot access the Page or portfolio
If you still have some access, prioritize evidence: screenshots of role changes, billing activity, and any notifications that show what changed. If you lost access entirely, follow official Meta recovery routes for hacked assets. For Pages you manage, Meta provides a recovery starting point here: Recover a hacked Facebook Page you manage.
For a deeper playbook that covers Business Manager, Page admin recovery, and escalation paths, use recover a Facebook business Page or Business Manager.
Prevention that fits real business workflows
- Separate admin identities: keep a hardened admin account for business assets and a separate daily personal account.
- Minimize admins: give the smallest role that enables the work.
- Require 2FA for anyone with access: a weak collaborator account becomes your weak link.
- Train for consent traps: employees should recognize role-grant requests, not just email phishing.
- Use verification rituals: confirm identity off-platform before granting permissions.
The long-term fix is cultural: treat Meta business roles like access to a bank account. Collaboration should happen through content workflows and clear contracts, not through surprise admin requests in DMs.
If you build a habit of verifying identity and keeping admin roles tight, this scam stops working. Attackers rely on speed and confusion. Your job is to slow the decision down long enough to see what you are actually granting.
Over time, the best indicator of resilience is not whether you get targeted. It is whether a single mistaken click can still take the whole business offline. When roles are separated, sessions can be revoked, and integrations are reviewed, the blast radius stays small.