With over 600 Million active users, Facebook has become the largest and most widely used social networking site in existence. However, this widespread usage has not been without its risks. Due to its nature as a social networking site, as well as its huge popularity, Facebook is a rich target for identity theft and malware writers. This guide is intended to be a general guide to Facebook security, and while by no means exhaustive, will hopefully provide you with a general overview of the threats you might encounter.

One of the inherent challenges with writing an exhaustive guide to Facebook is that its features are constantly changing. Facebook is frequently updated providing new benefits to its users. However, new updates likewise mean new risks. With malware writers relentlessly attempting to find new ways to exploit applications and features on sites like Facebook, it is impossible to account for all current and potential threats that you might experience while using Facebook. The intent of this article is to provide general advice for identifying and handling Facebook threats, as well as common-sense techniques to avoid being scammed.


We’re told time and time again that we should not use the same password for all accounts and that we should be using strong passwords. But how many of us do that? What is a strong password anyway?

It’s unlikely your password will be compromised through an attempted hack on Facebook itself, but other sites don’t have such good security. There has been a spate of high profile hacks recently. Using the same password on multiple sites means that if a hacker gets one they get them all. Many of the threats on the internet rely on compromised accounts; if your passwords are compromised then you’re putting yourself at risk for more than just some spam posts on your Facebook profile. As discussed below, ID theft and social engineering can cost you serious money.

For information on how to create strong passwords please see the following links.

Create strong passwords

Is it real?

The fundamental aspect of modern internet surfing is using common sense. The internet is full of scams and traps for the inexperienced, but these can easily be avoided by asking yourself a few questions when you are unsure.

Facebook is a constantly updating platform that aims to provide its users with new features on a regular basis. With new features, it’s often easy to be caught out when a new threat appears that mimics or abuses a new feature in Facebook. When you see something new, be wary of your actions and only click if you are sure it’s a legitimate part of Facebook.

Does it look suspicious? Does it actually look professionally designed, and something that would be on the Facebook site? If it’s full of spelling mistakes, or has slightly strange images that don’t quite fit the rest of the site, think to yourself whether it’s legitimate or not.

Fig. 1 Facebook will never ask you to complete a survey to verify your account.

Is it a feature Facebook actually has? Is it something they would likely allow? So called “Stalker Apps”, applications (apps) that claim to tell you who visits your profile, are not real. The Facebook privacy policy does not allow anything like that, and even if it did it’s unlikely they would provide the data needed to developers. When you see a new feature or application, think to yourself whether it’s something Facebook would actually allow, and if it’s likely they would implement it.

Is it something your friend is likely to send you? Is the friend sending you links likely to request you go on webcam with them? Or is your wife likely to send you a link to a crash videos on a fake Youtube site? Think about who is sending you links or apps; is it something they are actually likely to do? It’s unlikely your boss is going to send you links to videos of Hot Babes, but if you have them on Facebook and they click the wrong thing, it might just appear that way.

Much of the spam on Facebook displays links to third party sites. In a legitimate post, someone might link you to a video on Youtube.com, but for a long time malware sites have used similar, but not exact URLs to try and trick people into coming on them. If you are sent a link, look at the URL first to make sure the website looks real, and there are no obvious spelling mistakes in either the site name, or the domain (.co rather than .com)
A similar tactic is to spam a page with redirect links. These are shortened URLs that essentially redirect you to another page. These are often used on sites with a character limit, like twitter, to send long links, but used more often on Facebook as a means of spreading spam and malware.

Think about whether the URL looks like a legitimate site. If the link is fg35.bit.ly, does that look like a legitimate link? Shortened URLs are usually randomly generated and will be a small number of lower case letters and occasionally some numbers. If you see one of these on Facebook, be careful, you can’t guarantee on what site you will end up.


Privacy is a controversial issue in the internet age, some advocate sharing as little information as possible whilst others are more open. Regardless of your stance, there are still precautions you should take to avoid yourself being scammed.

Accept everyone?

A common sight is friend lists with numbers in the thousands. Surely this is harmless enough? Unfortunately not. You are sharing personal information with thousands of people; much of the information an account may display on Facebook can be used to pass security checks for companies. How many times have you been asked to provide your date of birth (DOB) as a security check to access an account? There is a wealth of information available on your Facebook account that can be used for ID theft so try to avoid having information like your full DOB and other sensitive information displayed on your account.

Fig 2. One friend too many?

Adding unknown accounts can also risk your Facebook account itself. One of the password recovery tools on Facebook relies on you choosing three trusted friends from your list; if a hacker controls three of the accounts on your friends list you are giving them an open door into your account. Once in, your password and email can be reset giving the hacker full control of your account.

Social Groups

Facebook has a useful feature for managing your contacts known as Lists. This feature can be used for customizing the amount of information about you different friends see.

Fig. 3 Use lists to organize and control information shared with certain groups.

It’s a fact of life that we have different social groups; we share more information with some than others. Use Facebook Lists in the same way to limit the amount of information shared with your contacts. After all, should your Boss have the same level of access as your girlfriend/boyfriend? You may have embarrassing photos on Facebook, or other personal information that you don’t want all to see. Add certain people into the limited Restricted Access group to only share public information with them, and create custom lists for different social groups.

Public Access

You also need to consider what information is being displayed publically. Facebook’s privacy settings vary to the extent you could be sharing all or none of your information publically. Is it necessary for people who aren’t your Facebook contacts to have access to all your wall posts? My advice is to limit the public information displayed on your account to an absolute minimum; it’s not necessary to give away your entire Facebook history and your personal information to people you don’t know. The information found on public accounts could be used for hacking, ID theft and Fraud.

Fig. 4 Your privacy is important. Use the settings to protect yourself.

Only allow information to be displayed publically that you are happy to have in the hands of a complete stranger. Things like your Date of Birth and your current location should not be shared publically due to the potential for malicious use of this information. Public contact information like your email address should also be hidden, if you display your email publically on Facebook you may find the amount of Spam in your inbox substantially increases.

Remember to configure your privacy settings to what you are personally comfortable with. The nature of Facebook is that information shared with your friends, can also be shared by them with others and applications they install if they pay less attention to their privacy settings than you.


Is it only Privacy and ID theft you have to worry about? Unfortunately not; criminals and other who just wish to cause inconvenience and embarrassment populate Facebook with bogus Apps, links, and messages.

Whilst most threats could come under the broad term “Spam”, I’ve divided threats up into more specific criteria. All terms and threat names used are referred to by their use and definition in the context of Facebook; in a more general situation the advice and definitions given may change slightly.


Clickjacking is a method used to gain control of a Facebook account. By clicking on certain malicious links, such as malicious “Like” pages, code exploits are used to take control of your account. The code will usually then spread itself by using your account to post the link to your friends.

Be careful which links you click on, the link usually spreads without the posters knowledge. Watch out for long rambling link names that end in “...” as Facebook usually displays the full page name, and these links are designed to provoke your curiosity.

You might want to consider using NoScript (Firefox only) and Web of Trust. These can warn you about malicious links and prevent malicious scripts from running.


Facebook is not as malware free as you might think. Whilst you are unlikely to encounter anything on the site itself, the usual method of infection is by directing you to a different webpage. Once there, you might be asked to download a plug-in to watch that cool rollercoaster video, or you might be inundated with warnings about your computers security. Whilst on Facebook, watch out for malicious links. Typical examples of these on Facebook are links to fake Youtube sites, and re-direct URLs promising rewards in return for clicking.

Always have an up to date antivirus program installed, and always be wary of downloading anything from the internet.

Spam Messages

Spam, something we all seem to be pestered with, whether it be junk mail through the post, or chain emails offering you money from a Nigerian King. Wherever there are people, there is Spam, and Facebook is no different.

To a certain extent, most of the threats on Facebook could be referred to as spam. The majority of them try to flood you and your friends with posts trying to get you to click on them, clickjacking being one of the quickest methods of spreading links through Facebook. While I’ve divided up this section into specifics, some of the more general spam is any generic wall post or message that has been spreading through Facebook.

Chain mail is the most common form of spam, and while not unique to Facebook, it’s not uncommon. Heard that Facebook is going to start charging money? Or that Facebook is “overpopulated” and that your account will be deleted if you don’t send the message onto 50 friends? These are some common chain letters you might come across on Facebook.

When you get a message like this, and aren’t sure whether it’s real or not, ask yourself a few questions.

  • Are you asked to spread the message? – This is the key point when dealing with chain letters. A sentence at the bottom of the message, asking, or demanding, that you send the message onto as many people as possible is a sure giveaway.
  • Is it realistic? – If Facebook was “overpopulated”, and accounts needed deleting, would they really ask you to perform a meaningless task to prove your account is active when they already have records of you logging in?
  • Would it have been on the news? – If Facebook was going to start charging money, this would have been on the news. Facebook is a big company, and any significant changes get noticed by a large number of people. If you are not sure, or want to check, do a quick search on Google; if you don’t get any results from legitimate news sites, or you get several links to sites informing you it’s a scam, then you can quickly and easily verify that it’s chain mail.
  • Does it have any purpose? – Lots of Spam goes round on Facebook, and lots of people unwittingly send it onto their friends, thinking it’s real. However, other than spreading, does the message serve any purpose? If it’s raising awareness for a charity, are there legitimate links in the message that take people to the charity’s site? If it doesn’t seem to serve any purpose, the chances are it’s just been designed to spread and confuse others.

Spam groups

How often have you clicked on a page, only to be told you need to “Click Here” to see the picture or information?

Groups are commonly set up to direct users towards online surveys, where the group owner will get money for every person that takes the survey. Most of the time, after completing the survey you will still not be able to see the promised reward, and you will have just signed up for spam from 20 more companies. If you have to carry out complicated steps to see the promised picture, it’s never going to be worth it.

Fake emails

This isn’t specific to Facebook, but a variety of social networking sites, and on more serious occasions, this scam targets bank account details.

The main principle is that a user will be sent a fake email - something that looks like it was sent by Facebook - with the intention of stealing private data from the user. If you get an email, that looks like it's from Facebook, that is asking you to reply with your Username and Password or upgrade your account, it's definitely a scam as genuine sites will never ask for these details. By either replying, or clicking on a link, you could potentially be directed to another site in an attempt to steal your personal data.

Fig. 5 Always check the URL, this type of email is never legit.

Be wary when dealing with emails from Facebook; usually the only emails they will send you is notification emails, which you might be receiving in large numbers. Any “Security Breaches”, or "Password changes", will not be emailed to you, but instead be displayed when you next log in.

When reading any email that mentions personal data, ask yourself whether it looks suspicious. Facebook has a number of tight security measures; they are not going to compromise this just because they have your email address.
If you get any unsolicited email asking to do a Password Reset, or Reset/”Confirm” any other personal details, go direct to the site it’s from. Do NOT click any links in the email.

Malicious Applications

Facebook can’t effectively monitor every app developed; they rely on users reporting malicious apps and then selectively removing them.

Facebook apps can potentially have access to all of your data, and also your friends' data. When you install an app, you should be greeted with the permissions page. When installing any app, even legitimate ones, don’t just blindly click through this page. Your private data is important to you; it’s not something you should give to a total stranger.

Fig. 6 Always check the permissions.

Malicious apps may install themselves with the intention of harvesting personal data from you and your friends. These will often spread using the same spam techniques other threats use.

If the app immediately posts a stream of wall posts, on your “behalf”, chances are its malicious. Whilst you are going through your list of installed apps, you might also notice a couple of randomly named apps, such as “AFGJWDKGH”; these are almost always malicious, and as such should be removed.

Money Transfer Scam

So, a criminal has managed to get hold of a Facebook account. What next? If one of your friends has fallen victim to a more generic scam, and lost their account details, you could find yourself the victim of a targeted and much more costly theft.

Essentially, once able to access a compromised Facebook account, a criminal may use social engineering to convince close friends the account owner is stuck, and needs funds transferred over to them to help out. If one of your friends is messaging you over Facebook claiming to be in a tough situation and needing financial aid, there are a number of things to check. Has your friend been posting a lot of Spam recently? If so, their account may have been compromised, and you are not actually talking to them.

Secondly, verify the situation with them using a method other than Facebook. If a close friend is asking for funds to be transferred to a specific account, phone them up and speak to them in person. Speaking to your friend in person is the only way to be sure you are not falling victim to a complex theft.

This scam is far less common, due to its targeted nature. However, if you fall victim to some of the threats already discussed, then this is what your account could be used for.


Facebook has become another feature of modern life. It has its risks, but like everything these risks can be minimized by following common sense and thinking about what it is you are asked to do. Your information is important to you; freely sharing sensitive information can end up costing you money, and clicking on Facebook links can lead to some embarrassing situations.

Surf safely, and think before you click.

Useful Links

Facebook Security Help Pages
Report Abuse
I think my account is hacked
Keeping your account secure