'Send me a BLIK code': Facebook account takeovers
A hacked friend's account asks for a BLIK code or a scan of your ID. We explain how account takeovers happen and why the chain of trust is the weakest link.
You get a Messenger message from a friend: “Hey, got a sec? My BLIK is blocked, can you send me a code? I’ll pay you back tonight.” You’re chatting with the real account of a real person — except a criminal is sitting on the other side. It’s one of the most effective scenarios of 2026, because it exploits trust that technology can’t protect.
Where the hijacked account comes from
Before the request for a code, the criminal has to take over someone’s account. The most common routes:
- Login phishing — a fake Facebook login panel (a link: “see who viewed your profile”, “your account will be deleted”).
- Email takeover of the address tied to the account, and through it a password reset.
- Leaked passwords reused across services (credential stuffing).
Once taken over, the account becomes a tool for attacking the friends list — because a message from a known person carries enormous credibility.
The two most common variants
The BLIK code. The “friend” asks for a BLIK code under the pretext of a temporary problem. The code you provide is instantly cashed out by the criminal at an ATM or in a shop — and you lose money with no transfer to trace.
The ID scan and loan. A nastier variant: the hijacked account asks for a photo of your ID “for verification”, or pushes you toward a “quick loan just for a moment”. An ID scan is material for opening accounts and defrauding loans in your name. Niebezpiecznik has reported cases where victims only realised after a tip from another friend.
How to tell it isn’t your friend
- An unusual request for money, a BLIK code or documents — even if the “real” account is writing.
- A change in writing style, odd typos, avoidance of a voice call.
- Pressure and secrecy (“just don’t call, I’m in a meeting”).
The golden rule: verify through another channel. Call your friend or send a text. One question asked out loud defuses the whole attack.
How to secure yourself
Turn on two-factor authentication (2FA) on Facebook and on your email account — ideally via an authenticator app, not SMS. Use unique passwords (a password manager is essential today), check active sessions and devices in your security settings, and add a second recovery email to the account.
And most importantly — never, under any pretext, give a BLIK code or an ID scan in response to a chat request. A BLIK code exists solely so that you can pay. It’s the same lesson as with phishing: the most effective attacks target the human, not the system.
Managing company social media profiles? We help roll out MFA and access-recovery procedures as part of our security services for businesses — and if an account has been taken over, contact us.
Sources and further reading: Niebezpiecznik, CERT Polska, Sekurak.