Facebook hoaxes back in the spotlight – what to tell your friends

At the risk of giving you a feeling of déjà vu all over again…

…it’s time to talk about Facebook hoaxes once more.

Looking at the Naked Security articles that people have not only searched for but also read in large numbers over the past few days tells us that we’re in what you might call a “market uptick” for hoaxes at the moment.

The top two resurgent hoaxes in the past week have been the Instant bank fraud “warning” and the How to post to more than 25 friends “advice”.

Loosely speaking, most Facebook hoaxes – by which we really mean “posts that get shared virally despite being useless and inaccurate, yet that aren’t actually scams or phishing tricks” – take one of three forms:

  1. Warnings to watch out for something supposedly dangerous that isn’t going to happen, and wouldn’t be particularly dangerous even it it did.
  2. Instructions to copy a specific paragraph of bogus information exactly and repost it under your own name.
  3. Advice on how to check your cybersecurity settings that achieves nothing except giving you a false sense of security.

Examples in the first category above include the Instant bank fraud warning we mentioned above, and the Dance of the Pope/Martinelli hoax.

The former hoax tells you that criminals are sending malicious text messages related to “payment problems” for customers of a specific bank:

Now, non-payment “warnings” are indeed very commonly used by crooks to try to trick you into clicking through to a fake version of your bank’s web page and then trying to coax you into putting in your password – an attack that’s well known under the name phishing.

But this one is different – the hoax claims that in this case, just reading the message is enough to drain your account (which isn’t true), and so the smart thing to do is to spread the warning by forwarding the hoax to all your friends.

The Martinelli hoax follows a similar theme – there’s a video coming out tomorrow called Martinelli (or Dance of the Pope), and if you watch it your phone will be infested with malware afterwards.

It’s almost always one of those two names – they seem to be very sticky details in this hoax – and those videos have been “coming out tomorrow” for many years now.

You need to warn people not watch the video, and that means… you guessed it, forwarding the hoax to all your friends.


The How to post to more than 25 friends hoax is of the second type.

This one has also been around for years, and it claims that Facebook sneakily keeps the circle of users who see your posts to the same 25 people.

Lots of people are desperate for more online friends and followers, and it no doubt sounds appealing to trick Facebook’s algorithms into posting your content more widely simply by posting some special text of your own.

As you will have guessed again, the special text that causes Facebook to induct you into the “more than 25 friends” club…

…is the text of the hoax you just received, complete with the instructions to the recipient to repost it, and so on:

Fake security advice

The third type of hoax on the list is probably the worst, because fake security advice may lead well-intentioned users to think they’re safe when they aren’t.

One example, which we discuss in the video below, made back in 2019, is the “BFF” hoax that tells you to type that very text into a post as a way of checking that Facebook’s additional security precautions are activated for your account.

The hoax tells you that if the text BFF, short for best friend forever, turns green when you type it into a post, you’re in good shape.

In fact, that the word doesn’t go green (though it used to), and even if it did, it would tell you nothing about your security settings.

Numerous words entered into Facebook posts do automatically change colour, but that’s a fun feature called Text Delights (the selected words trigger animations such as balloons and thumbs-ups when viewed) and has nothing to do with cybersecurity.

This hoax started because BFF apparently used show up in green, though it now seems to have been removed from the list of Text Delights:

Numerous words and phrases in a Facebook post are
recognised and highlighted automatically.

Yes, you’re also supposed to let everyone else know about this “useful” security trick by forwarding the text as far as you can, thus helping to perpetuate the hoax.

What’s the harm?

These messages are all bogus, but they’re not actually scams and they aren’t phishing for personal information.

So, is forwarding them really that bad, or is it merely a minor waste of time and bandwidth that will do little or no harm overall?

We think that getting sucked into hoaxes is more than a waste of time, not least because a lot of hoaxes could end up leaving vulnerable users needlessly worried or – even worse – convinced that they are safe when they are not.

Watch the video below for our advice, which includes these observations:

Even if it’s a harmless sounding thing, the characteristic of [a hoax of this sort] is that it’s conditioning or training you to accept information without any critical evaluation. And that’s a bad place to be […] because it means that you could easily end up being a mouthpiece for opinions or views that later turn out to be quite objectionable, and you’ll jolly well wish that you hadn’t put out those views under your own name.

It’s just creating an expectation for [those] people […] who are more easily influenced by the words of others. […] Part of the harm is that [if you join in], you’re contributing to making it look as though something is true without any sort of due diligence at all. And that’s probably not a society that you really want to live in.

[Spreading hoaxes] isn’t without cost. The more we get in the habit of relaying, replaying and endorsing information that’s false, especially when there’s a security angle, the more we’re softening up people who could actually do with some real advice that really mattered.

What to do?

Be aware before you share, and never let other people put words in your mouth – that is something you may deeply regret later on.

Here’s what you need to know, all in plain English.

(Watch directly on YouTube if the video won’t play here.)