Comment Tag Malware Link Scam on Facebook
Compromised Facebook accounts mass-tag friends in comments containing malware links disguised as shocking photos, videos, or 'is this you?' messages.
Part of: Comment Tag Malware Link Scam
Last reviewed: 5 July 2026
Facebook's tagging feature, which sends a notification directly to everyone tagged, gives comment-tag malware scams a built-in distribution engine that a scammer couldn't replicate through cold outreach alone.
How this scam works on Facebook
A compromised friend's account posts a photo or video with an eye-catching caption like a shocking headline or 'can't believe this happened' and tags dozens of friends in the comments, each of whom receives a direct notification. Clicking the accompanying link leads to a fake video player or news page that either prompts a browser extension or app install (the actual malware) or a fake login page that steals the victim's own Facebook credentials, which are then used to repeat the same tagging cycle from the newly compromised account.
Because the tag comes from a real friend's genuine account rather than a stranger, and the notification appears alongside normal Facebook activity, victims are far more likely to click without the skepticism they'd apply to an unknown sender, allowing the malware to spread through trusted social connections rather than random targeting.
Common red flags
- A friend's account tags you in a comment with a sensational link that seems out of character for them
- The link leads to a page asking you to install a browser extension or app to 'view' the content
- You're prompted to log into Facebook again on an external-looking page to view a supposed video
- The friend's account shows other recent unusual activity, like posting unrelated content
- The comment thread has other friends' names tagged in a mass, near-identical pattern
- Urgency or shock-value language pressuring an immediate click
How to protect yourself
- Never click links in unexpected tags, even from real friends, without verifying with them directly first
- Never install a browser extension or app prompted by a social media link
- Never re-enter your Facebook password on a page reached through a tagged comment link
- Enable two-factor authentication on your own Facebook account to reduce hijack risk
- Alert the tagged friend through another channel if their account appears compromised
- Run a security scan if you clicked a suspicious link or installed anything from it
How to report it
- Report the comment, post, or account using Facebook's in-app Report tool
- Report a hijacked friend's account through Facebook's hacked-account reporting flow
- Report to the FTC at reportfraud.ftc.gov if malware or financial loss resulted
- File a complaint with the FBI's IC3 at ic3.gov for significant losses
Frequently asked questions
Why would a friend's real account send me a malware link?
Their account has likely been compromised through a prior phishing attack, and the malware is designed to auto-post and tag their entire friend list to spread further before they even notice.
What should I do if I already clicked the link and installed something?
Remove the installed extension or app immediately, run a full security scan, change your Facebook password from a trusted device, and enable two-factor authentication.