Hacked Friend Scams

Hacked friend scams — sometimes called friend impersonation scams or compromised account fraud — occur when a fraudster takes over someone's social media, messaging, or email account and then uses that access to contact the account owner's friends, family members, or colleagues. Because the message appears to come from a trusted person, recipients are far more likely to comply with requests than they would if the same message came from a stranger.

The attack has two stages: first, the account takeover itself, which occurs through phishing, credential stuffing, SIM swaps, or malware; second, the exploitation of the victim's contacts, who receive messages that feel entirely legitimate because they are coming from a real account they know and trust.

The requests vary. The most common is an urgent financial request — the account owner is claiming to be in trouble (stranded abroad, facing an emergency, unable to access funds) and needs money transferred quickly. In other variants, the fraudster asks contacts to click a link that leads to phishing, forwards a message containing a scam to extend the attack's reach, or asks for personal information on the premise of resolving a problem.

The social engineering is particularly effective because the message arrives in the context of an existing relationship. There are no cold-contact signals to trigger suspicion. You believe your friend is genuinely asking you for help, and the emotional urgency of the scenario suppresses the careful verification that might otherwise occur.

Once the attacker has control of an account, they review the contact list and recent conversations to understand the relationships. They may read previous messages to find out names, relationships, and any ongoing matters that would make a targeted approach more convincing.

They then send messages — typically to multiple contacts simultaneously — with an urgent request. The framing creates emotional pressure: the person is in trouble, needs help fast, and cannot be reached by other means. The urgency discourages checking via an alternative channel ('I can't call right now, just send it to this account').

In money-request variants, the attacker provides bank transfer details, a payment app handle, or cryptocurrency address under the pretext of an emergency. The money is sent to an account the attacker controls. Because it is a bank transfer or cryptocurrency, reversal is difficult or impossible.

In link-forwarding variants, the contact receives a message saying something like 'look what someone said about you' or 'you should see this', with a link. The link leads to a phishing page that captures the contact's credentials, potentially propagating the attack to their contacts in turn.

In credential-request variants, the fraudster claims to need a verification code sent to the contact's phone ('I accidentally gave them your number — can you read me the code?'). This code is actually a two-factor authentication code for an account the attacker is trying to access.

Trust is the foundation of the scam. A message from a known person carries enormous credibility compared to an approach from a stranger. People are naturally inclined to help those they care about, and the urgency of the presented scenario activates helping behaviour rather than critical scrutiny.

The request often includes an explanation for why the normal way to verify — calling the person directly — is not available. This removes the most obvious check and creates a plausible reason for the unusual communication channel.

Many people are unfamiliar with the concept of account hijacking being used to contact contacts, so they do not consider the possibility that the account has been compromised.

A person receives a message on a social messaging platform from a close friend they have known for years. The friend claims to be stranded abroad without access to funds due to a lost wallet and needs money urgently to pay for a hotel and travel home. They ask the person to transfer money to a bank account provided in the message, promising to repay immediately on return. The person transfers the money, then calls their friend's phone to check in — and discovers their friend is sitting at home with no knowledge of the messages. The friend's social account had been compromised earlier that day.

Hey, it's me — I'm stuck in [city] and my wallet was stolen. Can you send [amount] to [account]? I'll pay you back the second I'm home.

I can't talk right now but I need your help urgently. Please transfer [amount] — I'll explain everything later.

Did you see what [name] said about you? [fake link]

I accidentally put your number down for a verification code. Can you just read it to me when it arrives? It's urgent.

Something weird is happening with my account. Click here to see: [fake link].

Hi, I'm in a really difficult situation and need [amount] quickly — can you help? I can't call, they took my phone.

Whenever you receive an urgent request for money or sensitive information through a messaging app, social media, or email — regardless of who it appears to be from — verify by contacting the person through a separate, independent channel. Call their phone number directly. Do not use contact information provided within the suspicious message itself.

Be especially suspicious of requests that provide a reason why you cannot call or speak to the person directly. Real emergencies do not typically prevent all forms of direct contact.

If you are asked to forward a verification code that arrives on your phone, do not do so under any circumstances. No legitimate request requires someone else's verification code. This is almost always an attempt to access an account.

If a friend's account appears to have been hacked, tell them through another channel immediately so they can take steps to regain control.