A new scam spread via Facebook messenger could affect entire businesses, a security expert said.

Tom Moore of Aura Information Security said the malware has "the potential to do huge damage".

The scam works by sending users a message from a Facebook friend encouraging them to click on a YouTube link.

The link is not actually a YouTube video but malware that enables hackers to access the user's account.


A number of New Zealanders have reported receiving these messages and also seeing their account sending those messages, posing as them.

Moore said the malware captures credentials which can be sold on the black market.

The malware is "quite clever", Moore said and easy to fall victim to.

It can be spread quickly from person to person on Facebook.

"Social media is a spiderweb of contacts," he said.

A number of Herald readers were affected by the scam. "I stupidly clicked on it and watched it send very fast to everyone in my messenger," one said.

"My husband received the scam email on friday...it says "this is you" in header," another said. "Unfortunately he opened it and it went through all his contact list..picked up other contacts of contacts through group messages I think."

The scam message one of our readers received.
The scam message one of our readers received.

Another said she received the message from four contacts.


Other readers said they clicked on the link by accident as they went to delete it.

Facebook users are being warned not to click on the link and to delete the message immediately.

If you have clicked the link, Moore recommends to make sure your anti-virus software is up to date and run a scan on your computer.

He also recommends to check you have not installed any untrusted web browser plugins/addons, and uninstall them if you have.