How a verified Facebook account was stolen in a three-week social engineering scam

Executive overview

A scammer posing as a podcast booker spent three weeks building trust before executing a precise Facebook Business Manager takeover. The attack worked because it was indistinguishable from a normal media booking — bio requests, question lists, a tech setup call — until a malicious link was clicked.

No money was ever requested. The goal was access to ad accounts tied to a credit card.

Build trust slowly enough and almost any legitimate process can be weaponised.

The three-week setup

• Initial outreach: invitation to appear on a desirable podcast, no money involved
• Week 1: request for bio, headshot, and topic notes — standard media procedure
• Week 2: list of interview questions sent for approval
• Week 3: "tech setup call" requested to configure a live Facebook restream

The call: how the access was taken

• Scammer joined Zoom audio-only, claiming to be driving kids to practice
• Opened with personal rapport questions drawn from recent social media activity
• Guided the target through Facebook Business Manager — knew the interface exactly
• When the target handed off to their marketing manager, the scammer repeated the same rapport script
• Sent a link via Zoom chat, then a second via email — link appeared to do nothing
• In the 5–7 minute window while the link was active, three fake Facebook pages were created
• Scammer added himself as admin and removed the target, EA, and marketing manager from all pages

What happened after the handoff

• Passwords were changed and two-factor authentication was in place, but the scammer retained admin on the pages he created
• Over the following week he ran ads, spoofed content, and spammed followers from those pages
• User reports flagged the profile for suspicious activity
• When the account holder uploaded a passport to verify identity, Facebook's systems — still seeing active spam from linked pages — shut down the 18-year-old verified account entirely
• Recovery required working with a specialist; the verified status on the profile and linked Instagram was the only leverage available

What to watch for

• Anyone on a setup call who refuses to appear on video
• Zoom links or email links that "don't seem to do anything" — they may be
• Unusually detailed knowledge of your recent travel or events (scraped from social media)
• Any third-party asking to walk staff through your Business Manager access