New Account Takeover on Facebook
Facebook accounts are taken over through phishing, credential stuffing, and malicious app permissions, then used to run scam ads, make fraudulent Marketplace listings, and impersonate the owner to their network.
Part of: New Account Takeover
Last reviewed: 1 June 2026
Facebook account takeover is disproportionately damaging because a single account often connects to Business Pages, advertising accounts, Marketplace history, and payment methods. An attacker who seizes a Facebook account does not just gain a social profile — they gain a financial instrument and a trust network they can exploit in multiple directions simultaneously.
The platform's connected ecosystem means that a takeover attempt can cascade: a compromised personal account leads to compromised Business Page access, which provides advertising credit to run further phishing campaigns at the victim's expense.
How this scam works on Facebook
Phishing emails or Messenger messages impersonating Facebook support direct the account holder to a fake login page. Entering credentials hands the attacker immediate access. They change the linked email and phone number, switch on unfamiliar payment methods, and begin using the account before the owner can react.
Some attackers gain access through previously authorised third-party apps that were granted broad Facebook permissions. When these apps are later compromised, the attacker uses the app's persistent access token to operate within the Facebook account without needing the password.
Once inside, fraudulent uses include posting Marketplace listings that collect deposits for non-existent goods, running advertisements for scam products or investment platforms, impersonating the owner to their contacts for emergency money requests, and extracting any stored payment card details for use in further fraud.
Common red flags
- Login notification from Facebook for an unrecognised device or country
- Unexpected changes to your linked email, phone number, or payment methods
- Friends reporting unusual posts, ads, or Marketplace listings appearing from your account
- Advertising charges on a card linked to Facebook that you did not authorise
- Business Page you manage showing posts, admin changes, or ad campaigns you did not create
How to protect yourself
- Enable Facebook two-factor authentication using an authenticator app
- Review authorised apps in Settings > Security and Login > Apps and websites, and revoke any you do not recognise
- Set up Facebook's trusted contacts feature for account recovery before a takeover occurs
- Enable login alerts so you are notified immediately of access from new devices
- Remove payment methods from Facebook when not actively using them for purchases or advertising
- Use Facebook's 'Where you're logged in' panel to review and terminate unrecognised active sessions
How to report it
- Report the account compromise through Facebook's Security and Login > I think my account was hacked path
- Contact Meta Business Support if a Business Page or ad account was accessed without your authorisation
- Dispute fraudulent advertising charges with your card issuer and report to your national cybercrime unit
Frequently asked questions
What should I do in the first ten minutes after discovering my Facebook account has been taken over?
Immediately try to log in and change your password. If locked out, use Facebook's 'Forgotten account' recovery flow. Alert your contacts via another channel so they ignore messages from the compromised account. Check your linked email and phone for access by the same attacker. Report the compromise to Facebook's security team and contact your bank if payment methods were attached.