Giveaway DM Takeover Scams
Fake prize notifications sent by DM that lead to credential-phishing pages or trick winners into authorising malicious apps.
Last reviewed: 1 June 2026
What this scam is
Giveaway DM takeover scams exploit the popularity of social media competitions to deliver phishing messages at scale. A person receives a direct message informing them that they have won a giveaway — typically a tech product, gift voucher, luxury item, or cash prize — and that they must act quickly to claim it. The message links to a page that either captures their social media credentials, collects financial information under the guise of shipping or tax fees, or initiates an OAuth authorisation that grants the scammer persistent access to the account.
The scam operates through two primary channels. In the first, scammers run fraudulent giveaways from accounts posing as brands, celebrities, or popular creators, building an audience through the promotion before using winner notifications to harvest credentials from entrants. In the second, a genuine or compromised account with a substantial following is used to send bulk 'winner' DMs — the established credibility of the account makes the message appear more trustworthy.
Victims who are active in competition or sweepstakes communities are particularly targeted because they have established habits of responding to winner notifications. The emotional state of having 'won' something creates positive arousal that, like urgency, reduces critical scrutiny of the process used to claim the prize.
Giveaway scams circulate persistently because they can be adapted to any trending product or platform conversation, and because the low barrier to entry — following an account, liking a post — means many people who did not consciously enter a competition have technically participated in multiple giveaways and may receive DMs from scammers exploiting these lists.
How it works
Fraudulent giveaways are promoted through posts that encourage liking, sharing, tagging friends, and following the account. The engagement mechanics are borrowed directly from legitimate competitions, making the promotion indistinguishable without examining the account's history and verification status.
After the promotion period, winner notifications are sent by DM. These messages cite the giveaway by name, mention the prize, and include a link to a 'prize claim portal'. The link may go to a credential-harvesting login page, an order form that requests card details to cover 'shipping and handling', or a real OAuth authorisation page for a malicious app.
Some variants request a 'tax clearance payment' — a small amount compared to the prize value — before the prize can be released. This payment goes directly to the scammer and no prize follows. The tax-on-winnings frame exploits the fact that in some jurisdictions, cash prizes do attract withholding, making the request superficially plausible.
In account-takeover variants, the goal is not immediate financial gain but credential capture. The scammer may sell compromised accounts, use them to amplify other scams, or monetise them through spam campaigns before the original owner regains access.
Why this scam works
Winning induces a positive emotional state that reduces caution. The hope of receiving a prize activates anticipation and reward-seeking rather than the defensive scepticism one might apply to a financial request. The combination of positive arousal and urgency — claim now or lose your prize — is a well-understood pressure technique.
Giveaway culture on social media has normalised the process of liking, following, and responding to DMs as legitimate competition mechanics. Scammers mirror this process precisely, making their fraudulent notifications indistinguishable from genuine ones at the moment of first contact.
Common red flags
- Winner notification arrives from an account you do not remember entering a competition with
- Prize notification is for a competition you have no specific memory of entering
- Link in the notification leads outside the platform or to a non-brand domain
- Request for payment to cover 'shipping', 'tax', or 'processing' before the prize is released
- Account running the giveaway is not verified, was created recently, or has limited history
- Prize claimed in the DM is disproportionate to the giveaway's apparent following or credibility
- Winner notification says your claim will expire within hours
- The claim process asks for your full card number or social media password
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Congratulations! You have been selected as a winner in our [product] giveaway. Claim your prize at [fake link] within 12 hours.
You won our [brand] giveaway! To receive your prize, please verify your shipping address and pay the [amount] handling fee at [link].
Hi [username]! You are our lucky winner. Log in at [fake link] to choose your prize and provide your delivery details.
Your prize is ready. To comply with competition tax requirements, please send [amount] to release your [product] winnings.
We tried to reach you yesterday. You won our competition — final chance to claim. Click [link] and sign in to confirm your details.
Common variations
- Celebrity impersonation giveaway — fake celebrity account runs a competition to gather follower data
- Brand impersonation variant — duplicate of a real brand's account runs a fraudulent giveaway
- Cryptocurrency giveaway — prize described in crypto requiring a small deposit to 'unlock'
- Cascading winner scam — initial victim is told they won, then asked to recruit others to 'activate' the prize
- High-value item variant — expensive tech or luxury goods used as bait to justify larger upfront 'tax' payments
How to verify before you act
Search for the giveaway's original post independently — do not rely on the DM alone. A genuine competition will have a clearly dated announcement post on a verified account with an established history of legitimate activity.
Check whether the prize notification links to the brand or platform's own domain. Legitimate competitions claim prizes through the platform itself or through the brand's official website, not through third-party portals.
Contact the brand directly through their official website or customer service channels to confirm whether the competition and notification are genuine. No legitimate brand will object to a quick verification query from a supposed winner.
Payment methods used
- Credit or debit card
- Payment apps
- Bank transfer
Who is usually targeted
- Competition and sweepstakes participants
- Followers of large brand or celebrity accounts
- People who regularly engage with giveaway posts
What to do immediately
- Do not click any links in an unsolicited winner notification before verifying the source
- Check the account that sent the notification — visit it independently to confirm its legitimacy and verification status
- Search for the giveaway by name to find its original promotional post and compare details
- If you clicked a link and entered credentials, change your platform password immediately
- Never pay any fee to claim a prize — legitimate competitions do not charge winners
- Report the fraudulent account to the platform using its reporting tools
How to prevent it
- Only enter competitions run by accounts you can verify as genuine through official websites or verified status
- Be aware that legitimate competitions never require payment of any kind to claim a prize
- Keep a note of competitions you have actually entered so you can assess whether a notification is plausible
- Apply the same scrutiny to winner notifications as you would to any unsolicited financial request
- Use a dedicated email and avoid sharing account credentials with any prize-claim portal
Evidence to preserve
- Screenshot of the winner notification DM including the sender's handle
- The URL in any link provided
- Payment receipts if any charges were made
- Screenshots of the fake giveaway account
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
I genuinely entered a competition. How do I know if the winner notification is real?
Search for the original competition post on the brand's verified account and compare the prize claim process described there against the DM you received. Genuine competition claim processes are described in the original terms and usually do not require external site logins or upfront fees. When in doubt, contact the brand directly through their official customer service.
Is it ever legitimate to pay tax to claim a social media competition prize?
In some jurisdictions, very large cash prizes are subject to withholding tax, but this is handled through the brand's accounting process — not by asking the winner to pay upfront to a third party. Any instruction to send money before receiving a prize is fraudulent regardless of the stated reason.