In a malicious script scam you are asked to copy and paste text into your browser’s address bar in order to see something interesting or surprising (ex: who viewed your profile/timeline).


This "code" is actually a malicious script. Instead of showing you what was advertised, it uses your account to create events and pages and send your friends spam.

Stay Safe

Spammers often advertise surprising things (ex: the opportunity to see who viewed your profile/timeline) to try to lure people into their spam traps.

• Never click on suspicious links, even if they’re sent by your friends.
• Never copy and paste text into your internet browser address bar if you are unsure of what it is.
• Use the latest version of Internet Explorer. With Internet Explorer 9 you get the best protection against these types of attacks. Upgrade now.
• Learn more about keeping your account secure.

• Think before you click. Never click suspicious links — even if they come from a friend or a company you know. This includes links sent on Facebook (ex: in a chat or post) and links sent in emails. If one of your friends clicks on spam by accident, that link might be sent to all of their Facebook friends. Remember to never re-enter your Facebook password or download something (ex: a .exe file) if you aren’t sure what it is. Learn more about recognizing suspicious links and suspicious emails.
  
  
• If you don’t know what it is, don’t paste it into your internet address bar. Pasting unfamiliar text into your address bar could result in events and pages being created from your account or other spammy actions. Learn more about malicious script scams.
  
  
• Pick a unique, strong password. Use combinations of at least six letters, numbers and punctuation marks; don’t use words that can be found in the dictionary. When in doubt, change your password. You can reset your password here or by going to your Account Settings page, located in the Account dropdown menu at the top of every Facebook page.
  
  
• Never give out your username or password.Never share your login credentials (ex: email address and password) for any reason. Individuals, pages or groups that ask for your login information in exchange for discounted goods (ex: free poker chips) shouldn’t be trusted. These types of deals are carried out by cybercriminals and are in violation of Facebook’s Payment Terms
  
  
• Log in at www.facebook.com. Sometimes scammers will set up a fake page to look like a Facebook login page, hoping to get you to enter your email address and password. Make sure you check the page's URL (web address) before you enter your login information. When in doubt, you can always type "facebook.com" into your browser to get back to the real Facebook site.
  
  
• Update your browser (ex: Internet Explorer). Current versions of Firefox and Internet Explorer have built in security protection, like warning you if you navigate to a suspected phishing site. Facebook supports:

  • Mozilla Firefox
  • Safari
  • Google Chrome
  • Internet Explorer

  
  
• Run anti-virus software to protect yourself from viruses and malware. You can learn more and download this software for free here:

  • For Windows
  • For Mac OS

For more information about protecting your account, please visit the Security section of our Help Center.

It’s possible that your friend unknowingly pasted a malicious script into their address bar. Instead of showing you what it advertises (ex: who viewed your profile/timeline), these scripts create events and pages from your account or send your friends spammy links.

Tell your friend to close their internet window or log out of Facebook to end the attack and secure their account.

If your friend did not paste text into their browser, it's possible that malicious software was downloaded to their computer or that their login information was phished. Tell your friend to visit the Phishing and malware section of our Help Center to secure his or her account.