mutual friends scam
Mutual Friend scam is one of the best and most clever social engineering scams of the future (2026). Rather than just sending random messages, the scammer will use your actual social connections to establish trust and therefore increase their odds of success.
Mutual Friend User will use Facebook, Instagram, LinkedIn, WhatsApp and Telegram to impersonate an individual you currently have a connection with.
How the “Mutual Friends” Scam Works
1. The attacker will conduct reconnaissance by scraping your publicly available profile (and possibly your friend list) from all social media platforms, likely through the use of automated tools or compromised accounts.
2. The attacker will use a real name, profile picture, and even stolen images (that are as close to the same person as possible) to create an imitation account that looks like one of your actual mutual friends or distant relatives.
3. Once the attacker has created the imitation account, they will reach out to you through that fake account with one of the following natural openers:
a) "Hey, it's been forever since we last talked; how are you doing?"
b) "There are so many of our mutual friends! 😊"
c) "Remember me from [location]?"
4. Once you accept or reply, the attacker will build your trust by mentioning shared memories or mutual friends to try and gain your trust.
5. The scam is successful if you respond to the attacker with personal and financial information via email, or if you fall victim to one of their online schemes (i.e., providing financial support for them by saying they are stuck in another country due to losing their wallet, sending you false links to malicious content, requesting personal login codes, or having you download malware disguised as false documents).
The reasons the scam is dangerous
1. High levels of trust: People are usually more compliant when they see connections or mutual friends.
2. Emotional manipulation: Utilizes past memories or events as well as social proof.
3. Low suspicion level: There is less likelihood that victims will verify the origin of the message as they perceive it to be in good faith and have a personal feel to it.
4. Scalable by nature: Attackers target potentially thousands of individuals through one compromised or created account.
By 2026, attackers will combine all of the above with AI-generated profile images, voice cloning, and deep fake videos to help perpetrate the impersonation.
Real-world examples
1) 47 mutual friends, claiming to know you from high school, message on Facebook asking for assistance with a family emergency.
2) Sending a business plan via LinkedIn will appear to be from a second-degree connection due to a shared network of contacts.
3) Someone calling you on WhatsApp, making a connection using a group of mutual contacts, or sending a link to view their recent video.
How to Spot and Protect Yourself
Red Flags:
1. The individual only reaches out to you on one platform.
2. They avoid any type of video or voice communication.
3. They tend to move too fast to discuss personal matters or ask for money/other favors.
4. Their profile has a very low number of posts or was created fairly recently.
5. They may know some things about you, but not enough to correctly represent that information.
Practical Defense Steps
1. Always verify that the person you are corresponding with is actually the person they claim to be by messaging the real person using a method you know (a phone, a company email, or a verified account).
2. Ensure that mutual "friends" of yours are friends with the suspected scammer before responding to them.
3. Limit your profile visibility by changing your friend list and posts to Friends only on Facebook/Instagram.
4. Enable Two-Factor Authentication everywhere you can. Use app-based Two-Factor Authentication.
5. Be cautious about accepting friend requests. Only accept requests from people you know.
6. Report suspicious accounts to the platform where the account is located as soon as possible.
For businesses, the employees must understand that they cannot share or have access to sensitive information or click on a link just because a common friend is on the list of possible scammers.
Key Takeaways
1. Making use of real social circles to create a sense of trust among “mutual friends” has led to a confusion of deception about the sender’s intent.
2. Attackers use emotional manipulation in combination with social validation to achieve goals
3. Verification is the most effective defense against the attacker's claims, do not accept a message is authentic because it claims you have common connections
4. Strong privacy settings and careful behaviors will greatly reduce overall risk.
