Comment Tag Malware Link Scam
Compromised accounts mass-tag friends in comments with a shocking or curiosity-driven link that installs malware or steals credentials, then uses the newly infected account to repeat the cycle against its own contacts.
Last reviewed: 5 July 2026
What this scam is
This scam spreads through a self-replicating cycle: a compromised account mass-tags its contacts in a comment containing a sensational claim and a malicious link, and each new person who clicks the link and enters their credentials becomes a fresh compromised account that repeats the same behaviour against their own contacts. This mechanism allows the scam to spread rapidly across a social graph with minimal ongoing effort from the original attacker.
The comment text is designed to provoke an emotional reaction strong enough to override caution — commonly a claim that the recipient appears in an embarrassing video, that a scandal involves someone they know, or that a piece of shocking news concerns a tagged individual specifically. Because the tag comes from a real account belonging to someone the recipient knows, and often several mutual friends are tagged simultaneously, the message carries an implied social proof that a stranger's message would lack.
The destination link leads to either a credential-phishing page cloned to resemble the platform's login screen, or a page that prompts a file download presented as a video player or browser update, which installs malware capable of harvesting stored passwords, session cookies, or providing the attacker remote access to the device.
How it works
An account is first compromised through an earlier version of this same scam, a separate phishing attack, or a reused leaked password. Once inside, the attacker's script or the attacker directly posts a comment on one of the compromised account's own posts, or on a public post elsewhere, tagging a large batch of the account's friends and followers.
The comment text varies but consistently uses curiosity or shock — for example claiming a tagged friend appears in a leaked or embarrassing video — paired with a shortened or disguised link. Clicking the link leads to one of two outcomes: a fake login page requesting the platform's credentials to 'verify age' or 'unlock the content', or a page prompting the download of a file disguised as a video codec, player update, or browser extension.
Once credentials are entered or the file is executed, the new account is compromised in turn, and the attacker's automated tooling repeats the same comment-and-tag sequence using the newly acquired account, reaching an entirely new set of contacts. This chain allows the scam to propagate across a platform in waves without the original attacker needing to manually target each new victim.
Why this scam works
Being tagged by name in a post claiming to involve embarrassing or shocking content triggers an immediate, almost reflexive urge to find out what is being said, which short-circuits the deliberate evaluation a person would normally apply to an unfamiliar link. The presence of the account's genuine identity, rather than a stranger's, removes the primary signal people rely on to judge whether a message is suspicious.
Seeing multiple mutual friends tagged in the same comment reinforces the impression that this is a real, shared event rather than an individually targeted attack, since it appears implausible that an attacker would need to fabricate a comment naming several real acquaintances at once, even though this is exactly what automated tooling does at scale.
A typical pattern
A user is tagged, along with a dozen other mutual friends, in a comment on an unrelated public post by someone they know personally, with text claiming to show a shocking video involving one of the tagged people and a link to view it. Curious and slightly alarmed at being named alongside friends in what looks like an embarrassing video, the user clicks the link, which opens a page asking them to log in with their social media account to 'view age-restricted content'. After entering their credentials, nothing plays, and the user assumes the video was removed or the link was broken. Within hours, the same comment appears on posts by the user's own friends, tagging a new batch of the user's contacts with the identical message, and the user later realises their account was used to spread the exact scam they had just fallen for.
Common red flags
- Comment tags a large batch of friends at once with a sensational or shocking claim
- Content is out of character for the account that supposedly posted it
- Link leads to a login page requesting your password to 'verify age' or 'unlock' content
- Page prompts you to download a video player, codec, or browser extension to view content
- Link uses a shortened or obscured URL that does not reveal its true destination
- The 'video' never actually plays after you complete the requested step
- The same comment later appears on posts by your own friends, tagging a new set of people
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
[Name], [Name], [Name] — you won't believe what's in this video, watch before it's taken down: [link]
OMG is this really you in this video?? [link] — tagging everyone who needs to see this
Breaking: [Name] involved in leaked footage, click to view before it's removed: [link]
To view this video you must first verify your age by logging in here: [fake link]
Common variations
- Fake 'shocking video' variant claiming a tagged friend appears in embarrassing footage
- Fake news or scandal variant claiming a tagged public figure or friend is involved in a fabricated event
- Malware-download variant disguised as a required video codec, player, or browser extension update
- Credential-phishing variant requesting login details to 'verify age' before content will supposedly play
- Group-tag chain-letter variant urging recipients to tag more friends themselves to 'unlock' the content
How to verify before you act
Before clicking any tagged link, check whether the friend who supposedly posted it has a history of posting this kind of sensational content; a sudden, out-of-character comment tagging many people at once is a strong indicator of a compromised account rather than a genuine post. Contact the friend directly through a separate channel to ask whether they intentionally posted it.
Never enter your social media password on a page reached by clicking a link inside a comment, and never download or run a file offered as a 'video player' or 'codec update' from an unfamiliar page — genuine video content on any major platform plays directly within the app or website without requiring any download or additional login step.
Payment methods used
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- Mutual friends of a compromised account
- Users tagged alongside multiple acquaintances
- Less tech-familiar social media users
What to do immediately
- Do not click the link if you have not already, and warn the tagged friend their account may be compromised
- If you clicked the link and entered your password, change it immediately and log out of all active sessions
- If you downloaded and ran a file, disconnect the device from the internet and run a full antivirus scan
- Check your account's recent activity for comments or tags you did not post and delete them
- Enable two-factor authentication if not already active
- Report the comment and the originating account to the platform
How to prevent it
- Treat any out-of-character mass-tagging comment from a friend as a likely compromised account
- Never enter your social media password on a page reached through a link in a comment
- Never download or run a file presented as a video player, codec, or browser update from an unfamiliar page
- Verify unusual posts with the friend directly through a separate communication channel before clicking
- Enable two-factor authentication using an authenticator app on all social media accounts
- Keep antivirus software active and updated to catch malicious downloads before execution
- Report and unfollow or block accounts spreading this type of comment once identified
Evidence to preserve
- Screenshot of the original comment including the tagged names and timestamp
- The link URL, recorded without revisiting it
- Screenshots of any suspicious comments posted from your own account afterward
- Any downloaded file, kept unopened on a secondary device for analysis if malware is suspected
- A note of which friend's account the comment originated from
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do these comments spread so quickly across friends and family?
Each account that clicks the link and enters credentials becomes newly compromised, and automated tooling then uses that account to repeat the same tagging comment against its own contacts, allowing the scam to propagate in waves across a social network with no manual effort required from the original attacker.
I clicked the link but the video never played. Is my account already compromised?
If you entered your username and password on a page after clicking the link, treat your account as compromised immediately: change your password, log out of all sessions, and enable two-factor authentication, even if you have not noticed any unusual activity yet.
Can this type of scam actually install harmful software on my device?
Yes, some variants prompt a file download disguised as a video player or codec update rather than a fake login page. Running such a file can install malware capable of stealing stored passwords or granting remote access. Disconnect from the internet and run a full antivirus scan if you have executed an unfamiliar file this way.