How to Report Phishing on Facebook: A Clear Step-by-Step Guide for 2026

Written by: Abigail Ivy
Published on:

What Facebook phishing looks like

Phishing on Facebook usually involves a fake profile, message, post, or login page designed to steal your password, payment details, or access to your account.

Because attackers often imitate Meta, Facebook Support, friends, brands, or marketplaces, spotting the difference quickly matters.

Common phishing tactics include urgent warnings, prize claims, copyright alerts, account-lock notices, and messages that push you to click a link outside Facebook.

These scams are especially dangerous because they exploit trust, fear, and curiosity in a single interaction.

How to report phishing on Facebook

If you encounter suspicious content, report it directly in Facebook so the platform can review the account, message, or post.

The exact steps vary by content type, but the process is designed to be fast.

Report a suspicious post or ad

  • Open the post or advertisement.
  • Select the three-dot menu.
  • Choose the option to report the content.
  • Follow the prompts and select a reason such as scam, misleading content, or spam.

If the content is clearly trying to lure users to a fake login page or impersonate a business, use the closest scam or impersonation category available.

Report a fake profile or impersonation account

  • Go to the profile.
  • Open the menu under the profile photo or next to the name.
  • Select report, then choose impersonation or fake account if available.
  • Submit the report and, if prompted, specify who is being impersonated.

Impersonation reports are important because phishing often starts with a cloned profile that looks like a friend, creator, or company representative.

Report a phishing message in Messenger

  • Open the conversation in Messenger.
  • Tap or click the sender’s name or menu icon.
  • Select report.
  • Mark it as scam, spam, or suspicious content.

Do not reply to the message or click links while reviewing it.

Even a single interaction can expose your account or device to risk.

Report a fake login page or external site

If a phishing message links to a site that looks like Facebook but is not on an official Meta domain, close it immediately.

Then use Facebook’s reporting tools if the phishing attempt originated from a message, post, or profile on the platform.

You can also report the domain through your browser’s security tools, your antivirus software, and the website host if you can identify it.

This helps reduce the chance that the same phishing page is reused against other users.

What to do before you report

Before submitting a report, preserve evidence so you can track the scam and assist if your account is compromised.

Take screenshots of the profile, message, URL, and any instructions the attacker sent.

  • Record the name of the account or page.
  • Capture the exact message content.
  • Save the full URL if a link was involved.
  • Note the date and time of the incident.

This documentation is useful if you need to contact Facebook support, recover your account, or file a report with law enforcement or a cybersecurity team.

How to protect your account after a phishing attempt

Reporting the scam is only part of the response.

If you clicked a link, entered your password, or approved a suspicious login, take immediate security steps.

Change your Facebook password

Update your password to something unique and long.

If you reuse passwords across services, change those too, because credential theft often leads to broader account compromise.

Turn on two-factor authentication

Enable two-factor authentication in your Facebook security settings.

A code from an authenticator app or SMS adds a second barrier even if your password is stolen.

Check login activity

Review active sessions and devices in your account security settings.

Log out of any device or location you do not recognize, and revoke suspicious access immediately.

Review connected apps and permissions

Phishing can be paired with malicious app authorization.

Remove unfamiliar apps, browser extensions, or connected services that request Facebook access without a clear reason.

How to tell if a Facebook message is a phishing attempt

Phishing messages are usually written to create urgency or fear.

They may claim your account will be disabled, your page was reported, or your payment method failed unless you act now.

  • Unexpected links to log in again
  • Grammar or spelling issues in “official” messages
  • Requests for passwords, codes, or payment details
  • Sender names that resemble Meta support but are not official
  • Offers that are too good to be true, such as fake giveaways or free ad credits

Any request for a Facebook password, login code, or recovery code should be treated as suspicious.

Meta does not need you to send those details in a message.

Where Facebook users commonly encounter phishing

Phishing is not limited to Messenger.

Attackers use multiple surfaces because people lower their guard in different places.

  • Direct messages from fake friends or hacked accounts
  • Comments on posts, especially on popular pages
  • Marketplace listings with urgent payment requests
  • Sponsored ads leading to counterfeit login pages
  • Pages claiming to be Facebook, Instagram, or Meta support

Marketplace scams deserve special attention because they often combine payment fraud with social engineering.

If a seller pressures you to pay outside the platform, that is a strong warning sign.

How businesses and creators should respond

Pages, ad accounts, and creator profiles are frequent targets because scammers know that impersonation can damage trust quickly.

If your brand is being copied, report the fake page and alert your audience through official channels.

Use a consistent brand name, verified contact methods, and strong security controls for page admins.

Assign access only to trusted team members, and review admin roles regularly to reduce the impact of compromise.

Why reporting phishing helps the wider Facebook community

When you report phishing on Facebook, you are not only protecting your own account.

You are also helping Meta identify repeated scam patterns, abusive domains, and coordinated fake profiles that may be targeting thousands of users.

Reports can improve automated detection and make it harder for attackers to recycle the same social engineering tactics.

Faster reporting can also reduce the lifespan of a scam before more people click, reply, or share credentials.

Practical habits that lower phishing risk

Good reporting habits work best when paired with everyday security practices.

Small changes make phishing attempts easier to spot and harder to exploit.

  • Use a password manager to avoid typing credentials into fake sites.
  • Keep the Facebook app and browser updated.
  • Hover over links on desktop before clicking.
  • Verify urgent account alerts by opening Facebook directly, not through a message link.
  • Limit who can message you or tag you when possible.

If you stay cautious with links, double-check sender identities, and report suspicious content promptly, you significantly reduce the impact of phishing on Facebook.

When to contact additional support

If a phishing incident leads to account loss, unauthorized ads, stolen payment information, or identity exposure, escalate beyond the in-platform report.

Contact your email provider, bank, credit card issuer, and, if needed, local authorities or an identity theft resource.

For business accounts, alert internal IT or security teams right away so they can review admin access, ad spend, connected apps, and any other potentially exposed systems.