Your weekly dose of scam-proofing in 3 minutes or less. No fluff, just the latest hacks, scams, phishing attacks, and cyber cons you actually need to know about.

You get a message from a friend.

Could be WhatsApp. Could be Instagram, Facebook, or Messenger. The name is right. The profile photo is right. Everything looks exactly as it should.

"Hey, sorry to ask - I'm in a bit of a mess. Can you help me out with some money? I'll pay you back tomorrow."

Or maybe it's subtler. A link. "Is this you in this video?" A favour. "Can you vote for my cousin in this competition? It just takes two seconds." A recommendation. "I found this investment thing, made £400 last week, you should try it."

You almost helped. You almost click. You almost sent.

Because it came from your friend. Except it didn't.

Their account was taken over weeks ago. The person messaging you now is a scammer working through your friend's entire contact list, one by one, using the trust your friend built over the years to run scams in minutes.

Social media cybercrime caused $3.5 billion in global losses in 2025. The FTC reported $1.9 billion in social media-originated scam losses in 2024, an 870% increase from $196 million in 2019.

That is not a niche crime. That is one of the fastest-growing fraud categories on the planet.

1️⃣ They get into the account.

There are a few routes in, and none of them requires any particularly impressive hacking:

Your account is not safe because you haven't done anything suspicious. It's at risk because a company you used three years ago got breached, and you used the same password everywhere.

2️⃣ They go quiet.

This is the part nobody expects. Most attackers don't immediately post anything. They sit in the account. They read your messages. They learn how you write, who your closest contacts are, and what you talk about. They are building a profile so the scam messages they send sound like you.

The average victim takes 17 days to discover their account has been taken over. During those 17 days, the attacker impersonated them to 71% of their contacts.

Seventeen days. That is a lot of WhatsApp messages to your mum.

3️⃣ They become you.

Now the messages go out. They are targeted. They reference real things from your life, real names, real shared memories scraped from your DMs. Scammers are now using the contents of data breaches to develop tailored approaches packed with details that enhance authenticity.

The message your friend gets doesn't feel like a scam. It feels like you, having a bad day.

4️⃣ They use your contacts to reach further.

Once one person in your network clicks a link or sends money, that account is compromised too. 73% of social media account takeover victims find that the attacker spread to their other platforms. The attack ripples outward through the network, using each new account to target the next set of contacts.

Here is the thing. You are confident you would spot a scam message from a friend. You know how they write. You'd notice if something was off.

Wouldn't you?

Maybe. But consider what you're actually working with. A profile photo you recognise. A name you trust. A message arriving in a conversation thread you've had for years. No typos. No strange number. No obvious warning signs.

Among identity crime victims, social media account takeover impacted 35% of them in 2025, up from 29% in 2024. These are not people who weren't paying attention. They were paying attention to the wrong thing, the name on the account, instead of the request itself.

The scam doesn't need to sound fake. It just needs to sound like a person you already trust, having a plausible problem. Your brain does the rest.

🚩 A message from a friend asking for money, even a small amount, especially with urgency. 

🚩 A link asking you to "log in to see" something, a photo, a video, a competition result. 

🚩 A request to enter a code or "verify" something sent to your phone. 

🚩 Recommendations for investment platforms, crypto schemes, or too-good-to-be-true opportunities from people who've never mentioned them before. 

🚩 Messages that feel slightly off, too formal, too urgent, or weirdly impersonal for that person. 

🚩 A friend asking for help via a different number or account than usual.

✔ Verify through a different channel before you do anything

If you receive a message from a friend asking for money, a link click, or a code, before you do anything at all, contact them through a completely different channel. Call them. Text their real number. The five seconds it takes to make that call is the entire defence against this scam.

If the account has been taken over, the attacker cannot answer your friend's phone.

✔ Use a unique password for every social media account

The most common route into a social media account is credential stuffing, using passwords from old breaches to log in, and it works because 94% of people reuse passwords. A password manager costs less than a coffee a month and eliminates this attack vector.

✔ Turn on two-factor authentication on every account you have

Even if an attacker gets your password, 2FA blocks them from getting in. Use an authenticator app rather than SMS, where possible, as it is harder to intercept. This applies to every platform: Instagram, Facebook, WhatsApp, X, TikTok, and LinkedIn. All of them.

✔ Set up login alerts

Most platforms let you turn on notifications when your account is accessed from a new device or location. Turn this on. It is the difference between finding out in five minutes and finding out in seventeen days.

✔ Tell your friends if their account looks compromised

If you receive a message from a friend that looks like a scam, don't just ignore it, tell them on a different channel. They may have no idea. The attacker is counting on nobody alerting them while the scam runs.

If a friend's message is asking for money or a code, call the actual friend before you do anything else.

That's it for this week.

Social media account takeover is not a sophisticated cyberattack. It is a patience game. Someone gets into an account, learns how to sound like you, and spends weeks quietly draining the trust you have built with everyone who knows you.

The fix is one habit: when something arrives from a friend that requires action, money, a click, or a code, verify it through a channel the attacker cannot control. A phone call. A text to their real number.

Your friend will not mind the extra check. The attacker will.

Catch you next time,

Dan & the Goldphish Team

📌 P.S. Had a weird message from a "friend" recently that you ignored? Go and check if their account is still theirs. It takes thirty seconds and might save them a lot of embarrassment.