How 62% of social media phishing actors lure you with Facebook

Illustration of a hook luring social media logos
Corey McAuley
Corey McAuley
6 May 2024
6 min read

Phishing is a threat that almost everyone on the internet faces at some point. This is because the scamming tactic works, especially when targeting vast numbers of potential victims. Phishing’s continuing effectiveness comes from criminals adapting their techniques to target any platform or service that large numbers of users embrace – and that’s where social media comes in. 

Social media phishing attacks rely on different tactics to build trust with victims and lure them into handing out sensitive information, sending money, or clicking on a bad link. 62% of criminals love to use Facebook – the world’s largest social network – as a lure for phishing attacks, with Meta’s other apps, WhatsApp (19%) and Instagram (9%), coming in at a distant second and third most likely to be imitated. 

Unsure if your data has been exposed?

Use our instant F-Secure Identity Theft Checker

How does social media phishing work?

  1. Using a wide variety of tools, criminals establish an extremely realistic looking social media phishing website, such as one mimicking Facebook.

  2. Criminals purchase breached, leaked, or scraped data. Using some pretense that requires the recipient to offer private data, criminals approach the victims usually through email, SMS, or a friend request and messages from unknown profiles promoting links to webpages.

  3. After entering data (such as login credentials) into the phishing site, the victim is then redirected to the real version of the site to camouflage the scam.

What to do if you fall for a phishing scam

  • Change any phished password, along with any similar passwords. Use unique passwords for different accounts and enable two-factor authentication.

  • If you’ve entered credit card details or financial information, cancel the card or set up a fraud alert on the account.

  • You may not always know if you’ve fallen for a phishing scam so use an ID Protection service, such as F-Secure Total, to continually monitor your data on the dark web.

Facebook Marketplace scams

According to an investigation by British bank TSB, one in three ads listed on Facebook Marketplace are scams. Even more astonishingly, Facebook Marketplace accounts for 73% of all purchase fraud cases at TSB – with UK customers of all banks losing an estimated £60 million in 2023. Common tactics include:

  • Directing consumers to fake websites to purchase fake items or experiences

  • 'Brand new' items advertised significantly cheaper than genuine websites

  • Refusing to let people view items in person and demanding advanced fees

  • Attempts to steal data via phishing links asking you to 'verify your identity'

  • Fake payment confirmations (such as PayPal) when buying items from sellers

5 tips to identify and avoid Facebook Marketplace scammers:
  1. If a deal seems too good to be true, it probably is. For example, if you see a 'new' cellphone listed for $100 but it retails at $500 in other stores, it’s likely that this significantly cheaper listing isn’t genuine.

  2. Sellers who create a sense of urgency want you to make a quick decision without giving it proper thought. Make sure you take your time to consider any purchases before you make them.

  3. Be cautious about using payment methods outside of Facebook’s recommended methods, such as cash which is not covered by Facebook Purchase Protection.

  4. Carefully review a seller’s profile to verify whether they are genuine. If the profile looks newly created with few friends, photos and posts with minimal interactions, that’s not a good sign.

  5. If a seller refuses to meet in person and instead insists on sending a courier or mailing an item, it’s likely that they have something to hide.

Fake articles on Facebook scams

Disinformation is not a new concept – but what is new is how social media phishing actors have been adapting and evolving their tactics to get fake articles past Facebook's automated detection systems and lure victims from their own newsfeeds. And it all starts with what seems to be a genuine paid ad.

  1. The scammer creates a Facebook advert for their article with a link leading to a safe webpage.

  2. Once the ad has been approved by Facebook, the scammer creates a redirect for the webpage which takes victims to a malicious site.

  3. The destination of the redirect is continuously changed to hide the true intention of the website – also known as 'cloaking'.

Scammers have recently used fake news stories to entice victims to their malicious website under the pretense of an exclusive interview with a respected public figure who has found success in a ‘new investment opportunity’. Putting their trust in this celebrity’s seemingly true experience, the victims also decide to invest – but are scammed out of their money as well as their personal information.

How to dodge fake articles on Facebook:

Meta is constantly reviewing and improving its automatic detection systems, but there is something you can do to stay safe from fake articles that slip through the net. Scammers often masquerade as real media outlets and will, for example, create a fake webpage using a template that looks like a BBC article. Instead of clicking on any links in ads, go directly to the organization’s website to search for an article. If you can’t find the article on their website, the ad will have been a phishing scam.

Malicious tagging on Facebook scams

Malicious tagging is when scammers randomly tag people in malicious posts on Facebook to get them to click dangerous links. The technique is particularly effective when the scammer hacks into someone’s Facebook account and tags their friends in malicious posts. When those friends then click through to the post, they may inadvertently install malware onto their device or be redirected to a fake Facebook login page that will steal their personal information.

A particularly nasty, and unfortunately successful, tactic used by scammers is to play on people’s emotions, so these posts are often themed around morbid circumstances. One US television station reported hackers tagging people in posts saying things like "I can’t believe he’s gone" and linking to what appears to be a genuine news article or YouTube video about a fatal accident – but it’s a dodgy link.

How to protect yourself:
  • Check if any links in posts are safe by hovering over or holding down the link to review the URL. Does the website address begin with HTTPS? Is this a recognizable and trusted source of news?

  • Use two-factor authentication to secure your account from hackers.

  • If you notice that a friend has been hacked, send them a text message or call them instead of contacting them via Facebook Messenger, then report any malicious posts to Facebook.


total app on different devices

Keep social media phishing at bay with F‑Secure Total

As social media phishing scams evolve, protecting your digital life is more important than ever. F-Secure Total makes this easy, helping you to secure your digital moments in a brilliantly simple way. Discover more online scams in our Scam Protection Hub or explore what you can do with F-Secure Total.

  • Stay safe when banking, browsing, and shopping online.

  • Stop malware with top-rated antivirus software.

  • Make the internet safer for your kids.

  • Protect your personal data online and prevent ID theft.

  • Safeguard your privacy with unlimited VPN.

Read more about Total