Social Login & OAuth Phishing
Fake 'Sign in with [Platform]' buttons and malicious OAuth app authorisations that harvest tokens granting persistent access to your account.
Last reviewed: 1 June 2026
What this scam is
Social login and OAuth phishing attacks target the widely-used authentication mechanism that allows websites and apps to request limited access to your social media account rather than asking for your password directly. When you click 'Sign in with Google' or 'Connect with Facebook' on a third-party site, a legitimate OAuth flow sends a permission request to the platform, which then grants the site a token allowing specific actions.
Scammers abuse this system in two distinct ways. In the first, a malicious page presents a fake 'Sign in with [Platform]' button that actually leads to a credential-phishing page rather than a genuine OAuth dialogue — the victim enters their username and password on a counterfeit login screen believing they are using the trusted platform flow. In the second and more sophisticated variant, a real OAuth flow is used but the app requesting authorisation is malicious: the permissions dialogue appears genuine but grants the app abilities the victim has not considered, such as reading messages, posting on their behalf, or accessing their contact list.
OAuth tokens can persist long after the initial authorisation, meaning a malicious app approved once may retain access to the account for months or years. This makes OAuth-based attacks particularly serious: the compromise is ongoing and invisible, and changing your password on the platform does not revoke existing OAuth tokens unless you also review and remove authorised applications.
How it works
In the credential-phishing variant, the victim encounters a fake login page that mimics the genuine OAuth popup. Typically this page is opened by a malicious website, an ad, or a link in a message. The URL is not the platform's real domain, but the visual design is a close copy. Credentials entered on this page go to the attacker.
In the malicious OAuth app variant, the victim is directed to a real platform login page but is asked to authorise an app that requests excessive or unusual permissions — such as the ability to send messages, follow or unfollow accounts, or read private conversations. The permissions dialogue is shown by the real platform, making it appear legitimately approved.
Once an OAuth token is issued to a malicious app, the attacker can use it to post spam or scam messages from the victim's account, scrape the contact list to send further phishing to known contacts, read private messages, and in some cases change account credentials.
The initial lure for OAuth attacks often involves quizzes, third-party analytics tools, free product claims, or content promised behind a social login wall — contexts where granting access feels like a reasonable trade-off.
Why this scam works
OAuth and social login are genuinely trusted mechanisms used by thousands of legitimate services. The prevalence of the real system means users have been conditioned to click 'Sign in with [Platform]' without deep scrutiny. The familiarity of the flow — the popup appearance, the permission dialogue — triggers pattern recognition rather than analytical evaluation.
For malicious OAuth apps, the attack benefits from the fact that the genuine platform does show the permissions dialogue. Users have been trained to dismiss these dialogues as routine consent notices rather than reading them carefully. A permission to 'post on your behalf' can slip past a user who is focused on reaching the promised content beyond the login wall.
Common red flags
- Sign-in page URL is not the platform's real domain, even if the page looks identical
- OAuth permissions dialogue requests more access than the app needs — such as posting or messaging on your behalf
- Third-party tool requests to 'manage' or 'post to' your account when only reading should be required
- Login prompt appears after clicking a link in a DM or an ad for a free tool
- App requesting authorisation has no established public presence or reviews
- Permissions request includes access to direct messages or follower management
- You are asked to authorise an app before viewing promised content
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Check your follower ranking for free — just click 'Sign in with Instagram' to see your analytics at [fake site].
Take this personality quiz and share your result. Sign in with Facebook to get started at [link].
Download our free scheduling tool. Authorise the app using your Twitter login to begin managing your posts.
Unlock your free [product]. Connect your account at [link] — we only need basic profile access.
Your account has been reviewed! See your report at [link] — sign in with your platform credentials to view.
Common variations
- URL bar hidden variant — opens login page in a mobile browser that hides the address bar
- Overlapping popup variant — a legitimate popup is obscured by a phishing iframe at the same visual position
- App store listing for a malicious social management tool that requests excessive OAuth permissions
- Browser extension that harvests tokens from active sessions without a separate login prompt
- Quiz or personality test that requires social login and sells the harvested data
How to verify before you act
Before authorising any third-party app, check the URL in your browser's address bar when the login page appears. The genuine OAuth popup for a platform will always appear on that platform's own domain — for example, accounts.google.com, facebook.com, or api.twitter.com. Any deviation from the platform's real domain indicates a phishing page.
Read the permissions dialogue carefully. Note specifically what actions the app is requesting. If a quiz or analytics tool asks to post content, access your messages, or manage your followers, those permissions are disproportionate to the described function and should be declined.
After authorising any app, periodically review your platform's connected apps list and remove anything no longer in use or unrecognised. Revoking access removes the token and prevents any further activity by that app.
Payment methods used
Who is usually targeted
- Anyone who uses 'Sign in with' social logins
- Creators using third-party management tools
- Users clicking social login prompts on unfamiliar sites
What to do immediately
- Go to your platform's authorised apps or connected apps settings and revoke access for any app you do not recognise
- If you entered credentials on an external page, change your password immediately on the real platform
- Enable two-factor authentication if not already active
- Check your account's recent activity for posts, messages, or follows you did not make
- Review your email's connected apps as well if the same sign-in method was used there
- Report the malicious site or app to the relevant platform
How to prevent it
- Always check the URL in the browser bar before entering credentials, even on a page that looks official
- Read OAuth permissions carefully before authorising — decline any that exceed what the app genuinely needs
- Regularly audit and revoke access for apps you no longer use in your platform's connected apps settings
- Use a password manager that flags when you are not on the expected domain
- Be sceptical of tools that require social login to deliver free analytics, content, or prizes
Evidence to preserve
- The URL of the site that requested the login or OAuth authorisation
- Screenshots of the permissions dialogue shown
- Any content the app posted from your account without your knowledge
- Email confirmation of the OAuth authorisation if one was sent
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Does changing my password revoke third-party app access?
On most platforms, changing your password does not automatically revoke OAuth tokens already issued to connected apps. You must manually go to your account's authorised apps or security settings and revoke each app individually. This is why reviewing connected apps after any suspected compromise is essential.
How can a third-party app post from my account if I never gave it my password?
OAuth tokens allow specific actions to be performed on a platform on your behalf without the app ever knowing your password. The platform issues a token to the app after you authorise it, and that token permits the agreed actions. If you approved posting permissions, the app can post indefinitely until you revoke its access.