Phishing Scams on Facebook
How fraudsters use fake Facebook pages, Messenger links, and lookalike login prompts to steal account credentials and personal data.
Part of: Phishing
Last reviewed: 1 June 2026
Facebook's scale — billions of active users — makes it one of the most impersonated brands in phishing. Scammers create pages or ads that mimic Facebook's own notifications, copyright warnings, or prize announcements, all linking to login pages designed to harvest usernames and passwords.
Because Facebook accounts often link to Marketplace, Shops, and payment methods, a stolen Facebook login can cascade quickly into financial fraud. Understanding how these phishing campaigns look on-platform is the first step to avoiding them.
How this scam works on Facebook
Common Facebook phishing vectors include: fake 'Your account will be disabled' messages that link to a lookalike login page; fraudulent copyright or community-standards warnings shared via Messenger from compromised friend accounts; fake prize or giveaway pages that ask you to 'verify your identity' with login credentials; and paid ads impersonating Facebook Support that direct to phishing forms.
The login pages are often near-pixel-perfect copies of Facebook's real interface, hosted on domains with minor misspellings (e.g., faceb00k-support.com). Once credentials are entered, the account is typically taken over within minutes and used to spam friends with more phishing links or to hijack linked payment methods.
Common red flags
- Urgent message claiming your account will be suspended if you do not click immediately
- A 'copyright violation' notice from a Facebook page rather than an official email
- Messenger link from a friend that seems out of character
- URL in the address bar does not exactly match facebook.com
- Login page that asks for your password again after you are already logged in
- Prize announcement requiring credential entry to 'claim'
How to protect yourself
- Enable two-factor authentication on your Facebook account
- Never enter your password on any page reached through a Messenger link — log in directly at facebook.com
- Check the exact URL before entering credentials; bookmark the real Facebook login
- Treat any urgent account-suspension warning as suspicious until verified through official channels
- Review which apps have access to your Facebook account periodically
How to report it
- Report the fake page or message inside Facebook via the three-dot menu > Report
- Forward phishing emails claiming to be from Facebook to [email protected]
- Report to your national cybercrime agency (IC3 in the US, Action Fraud in the UK)
Frequently asked questions
Can I be phished on Facebook without clicking a link?
The most common phishing requires clicking a malicious link, but some attacks use fake in-app forms or compromised apps that request excessive permissions. Keeping your account's connected-apps list clean and enabling login alerts reduces your exposure.