Why scammers want access to your social media account

Fraudsters try to hack your accounts to facilitate their scams - here’s what to know.

Whether it's to make a profit by selling your data, to scam your contacts on your social media accounts by impersonating you, or to steal your identity and apply for documents and obtain accounts in your name, there's a few reasons why scammers want your social media account.

Read on to find out what to do if your social media account has been hacked.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts

‘Despite having two-factor authentication set up, my account was still compromised’

Oliver (not his real name) had his personal Facebook account hacked, despite his best efforts to keep it secure with two-factor authentication and strong, unique passwords. 

He thinks scammers gained access by a method known as cookie cloning. Cookie cloning is when a fraudster copies your cookies, which are files about your browsing history and behaviour, such as login details, and can happen when your device is infected with malware.

The hacker linked their fraudulent Instagram account to Oliver’s Facebook profile. Meta, who owns both Facebook and Instagram, promptly disabled both accounts.

‘The situation became catastrophic because Meta bundles business pages with personal accounts. The suspension of my personal account jeopardised my Facebook and Instagram business pages, which are critical to my livelihood.

'Worse still, Meta initiated a countdown to permanently delete my account and all associated assets, which would have erased years of hard work and caused immense financial damage,’ Oliver told Which?.

He also said that he had to subscribe to Meta Verified in order to access human assistance. He told Which?, that without it, he had ‘no customer service, no email support, and no one to escalate issues to.’

Which? contacted Meta and it told us it encourages its users to create strong passwords, enable two-factor authentication and to be suspicious of emails or messages asking for personal details. Oliver did eventually regain access to his account.

Hacked social media account

Last year Action Fraud warned that between August 2023 and August 2024, more than 33,600 people reported their social media and email accounts had been hacked. It added that victims had lost an estimated £1.4 million.

Access to your social media account can be a cash cow for scammers. In some cases, scammers may use the account to try to con your contacts out of money. 

One example of this Which? has recently seen involved a scammer taking over an Instagram account to attempt to flog some non-existent Oasis tickets for £150 per ticket. Victims of this scam could have been fooled as the scammer knew lots of details about the account holder and his partner. 

An almost-victim of this scam told us that he sensed something wasn't right when his friend refused to call him or at least arrange a call, he eventually concluded it was a scam when the bank details didn't match up and he aborted the bank transfer. 

Previously, Which? has uncovered McAfee rogue affiliates hacking Facebook accounts and reported on the rise of fraudsters hacking into social media accounts.

How do scammers hack into your social media accounts?

There are lots of ways that a fraudster can gain access to your social media. The main culprits are:

• Phishing websites - these are dodgy websites that you’re typically led to from scam texts, emails and posts on social media to ask for your personal information under false pretences. This information is then in the scammer’s hands.
• Malware - malicious links in texts and emails can also contain malware that infects your devices and allows a scammer to steal personal information or take over accounts.
• Credential stuffing - this is when scammers use username and password combinations they already know to hack into other accounts using automated software, username and password combinations are usually gathered from previous data breaches.
• Brute force - this is where hackers will guess passwords multiple times, often using technology, to eventually find the correct password.
• Sim swapping - this is when a fraudster tricks your mobile carrier into transferring your phone number to a new sim card in their control, enabling them access to your accounts.

Recovering hacked accounts

As previous case studies have shown, it can be a challenge to regain access to a hacked social media account. If you suspect you have been hacked you should immediately change passwords to secure ones on the accounts that you still have access to - read more on how to create a secure password. 

You should also notify your contacts that your account has been hacked and they should ignore any messages requesting money or information.

If you suspect your Facebook or Instagram account has been hacked, Meta has a step-by-step process that you can follow to recover your accounts for Facebook and Instagram.

To keep your social media accounts secure, never click on links in messages or be tempted to enter your details into a website you've been directed to from a text or email.  

You should also create secure passwords and use a reputable password manager to store them. Setting up two-factor authentication (2FA) or two-step verification (2SV) provides you with a separate form of identification – such as a code being sent via text – when you log into an account.

Consider adding extra layers of protection with antivirus software on your devices, and keep your devices updated.

If you lose any money to a scam, call your bank immediately using the number on the back of your bank card. Report scams to Action Fraud, or call the police on 101 if you’re in Scotland.