The Facebook Friend Suggestions security scare

The Facebook Friend Suggestions security scare

Updated Warnings are being posted all across Facebook suggesting that users who have received multiple friend suggestions are really infected with a computer virus.

A typical version of the warning reads as follows:

Facebook friend suggestions security scare

VIRUS WARNING: ANYONE WHO HAS GOTTEN A TON OF FRIEND SUGGESTIONS BE CAREFUL! IT IS A VIRUS! IF YOU ACCEPT THEM THEN YOUR ACCOUNT WILL SEND OUT ABOUT 85 TO SOMEONE ELSE!!! WARN YOUR FRIENDS NOW! This is a new virus that is sending requests to spread. DO NOT ACCEPT FRIEND SUGGESTIONS AT THE MOMENT!

The reality, however, is somewhat different. Most importantly, the behaviour and sightings of more than the usual number of Friend Suggestions are not a sign of a computer virus infection.

Instead, it appears that Friend Suggestions on Facebook now go to both parties, rather than just the one you specifically suggests takes up your suggestion of a new online connection.

So, imagine you are Tom, and you think that your friend Dick should become Facebook friends with Harry. You visit Dick’s Facebook profile, scroll down to where it says “Suggest friends for Dick” and choose Harry’s name.

Your suggestion that Dick should become friends with Harry doesn’t just go to Dick, but it will also now go to Harry as well. Presumably Facebook has made this change in order to encourage more users to interconnect.

But there’s more.

As Facebook reveals on its help pages about Friend Suggestions, Facebook can also suggest possible friends for you to connect with.

It does this by automatically examining “the networks that you are a part of, mutual friends, work and education information, contacts imported using the Friend Finder, and many other factors.”

Aside from the mysteriously ambiguous “many other factors”, the thing I find concerning there is the reference to Friend Finder.

What Facebook means is that they can suggest friends based upon email addresses that you may have imported into Facebook from your email account address book, perhaps when you first set up your account.

Facebook Friend Finder

What many people may not realise is that even if you didn’t add everyone you imported from your address book as a Facebook friend, Facebook can still use those contacts imported from Outlook, Gmail, Hotmail, Yahoo, etc, in order to make future recommendations.

Therefore, Facebook may also see your email address in other people’s contact lists, and determine relationships based upon that.

If this bothers you (and I can perfectly understand why it would), then Facebook says you can tell it to remove the contacts from its suggestions system. Of course, it might have been better if you hadn’t offered up your address book to Facebook in the first place..

Facebook also says that you can change your privacy settings to prevent your profile from being visible to everyone as a potential friend suggestion.

Sign up to our free newsletter.
Security news, advice, and tips.

More information about Facebook’s Friend Suggestions system can be read online here.

Update Some Clu-blog readers have been in touch with me, saying that although they agree that claims of a virus being spread via the friend suggestions are unlikely, they don’t believe I have completely explained what is occurring.

Eero sums it up well in an email he sent me:

As you know, there are two distinct types of friend suggestions you can receive, one is where you get a personal message that your friend Bob suggests Carl as your friend, and the other is where you just see people Facebook thinks you might know based on common friends.

People are not getting these mixed up. I first saw this problem in action by getting a private message from Facebook that my friend “Bob” has accepted my other friend “Carl” as his friend based on friend suggestion made *by me*, when I’ve never made any friend suggestions in Facebook. Then I also noticed I also had received strange friend suggestions saying “This friend was suggested by ‘Alice'”, and ‘Alice’ promptly confirmed that she’d not suggested me to anyone or anyone to me.

Sure enough, some postings on Facebook confirm this (thanks to Clu-blog reader Pat for pointing me towards these):

Facebook friend suggestion mystery

In other words, even if these contacts are being scooped automatically by Facebook from data it grabbed in the past from users’ address books (via Friend Finder) it seems very strange that Facebook is claiming that a particular user has instigated the introduction, rather than Facebook coming up with the suggestion itself.

As such, it’s still a mystery as to how this has occurred. Could it be that Facebook got its knickers in a twist with its database, a rogue application, or that a bug was present that caused these messages to be sent?

It’s hard to know for sure, as Facebook seems to be keeping schtum.

No doubt most of the souls forwarding and reposting this latest Facebook security scare to their profiles are oblivious to all these fine details, however, and are still believing that a virus is behind the suggestion messages that they are viewing.

Of course, it should still go without saying, that whether you receive a friend request or a friend suggestion, you should exercise caution about who you befriend on a social network – as it could be a cybercriminal rather than a long lost chum who is trying to access your profile.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.