A scam on social media usually does not look like a scam at first. It may look like an offer from a well-known store, an investment opportunity, a message from a friend who "lost their phone", a profile of a lawyer, doctor or public figure, or a TikTok video that leads to a payment page. The victim does not lose money because they are "naive". They lose money because someone set up a chain of persuasion: false identity, urgency, social proof, link, payment and disappearance.
The difficult question is what happens next. Who is liable? The scammer, obviously. But is that enough? Can the bank or payment provider be liable? Can Facebook, Instagram or TikTok be liable because they allowed a fake ad or dangerous profile to circulate? And, in practical terms, what should someone do during the first hours?
Do not wait for the traces to disappear
In social media scams, material changes or is taken down quickly. Before making public comments or speaking again with the account that deceived you, keep URLs, screenshots, the transaction time, payment details and the reference number from the bank or platform.
The short answer is that liability is not judged only by where you saw the scam. It is judged by how the payment was made, whether there was real authorisation of the transaction, whether stolen passwords or card details were used, whether the platform was notified in a sufficiently specific way, and whether the payment provider had reason to block, check or refund amounts. That is why the right response is to act at the same time on three levels: platform, bank and competent authorities.
How scams are set up on social media
On Facebook and Instagram, the common forms are fake store pages, "sponsored" ads with products at unrealistic prices, fake messages allegedly from Meta about an account breach, Marketplace listings, fake giveaways and investment schemes. On TikTok, we often see videos that lead to an external link, accounts copying real people, "lessons" for easy profit, crypto or trading packages and livestreams that create a sense of urgency.
The common element is that the user is moved into another environment before losing the money. It may start from a post, but the payment may be made in a fake e-shop. It may start from Messenger or Instagram DM, but the money may leave through a bank transfer. It may start from TikTok, but the user may enter card details in a form that does not belong to the platform.
This path matters. A purchase inside a platform's protected payment system is one thing, a payment on an external site is another, a transfer through e-banking is another, and a card used without authorisation is another. The legal assessment does not start from the phrase "I saw it on Instagram". It starts from the question: what payment act took place, and who had which obligation at that moment?
The main responsible parties, in simple terms
| Person or body | When they come into the frame | What you practically ask for |
|---|---|---|
| The perpetrator of the scam | Always, if there is deception, false identity, unlawful access or extraction of money | Criminal investigation, identification, civil claims where feasible |
| The bank or payment provider | When payment was made by card, e-banking, transfer, digital wallet or another payment instrument | Immediate blocking, transaction dispute, refund where the act was unauthorised |
| The platform | When it hosted illegal content, a fake ad, a fake profile or a reported scam | Removal, restriction, response to the report, review, preservation of data |
| The seller or "store" | When it appears as a commercial business or e-shop | Consumer complaint, refund, review for unfair practices |
| The victim themselves | Not automatically as the "one at fault", but as a person with an obligation to notify immediately and preserve evidence | Act quickly, do not delete evidence, inform the bank and authorities |
First minutes and first hours: what to do
1. Cut off access
Block the card or e-banking, change passwords and do not give another OTP or money for "unblocking".
2. Keep evidence
Full URL, screenshots, conversations, payment details, transaction time and request numbers.
3. Report properly
The bank, platform and competent authorities need specific details, not only a general description.
If you realise that you lost money or that you gave card details, passwords or an OTP, do not waste time looking only at the scammer's profile. The first move is to the bank or payment provider. Ask for immediate card blocking, temporary freezing of e-banking if needed, recall or investigation of a transfer where technically possible, and official recording of the dispute. Keep the request number, date, time and department name.
The second move is to save evidence. Do not rely on a single screenshot. Keep the URL of the ad or profile, the account name, page ID if displayed, conversations, payment receipt, IBAN or beneficiary details, confirmation email, SMS, push notifications, transaction time and any element showing where the scam began. If the profile disappears, these details may be the only practical basis for a complaint.
The third move is the report to the platform. Use, where available, the specific report for illegal content or fraud. A general "I don't like it" report is weaker than a clear report saying: "the profile is impersonating company X, the link leads to a fake payment page, I lost amount Y at this time". The European Commission explains that the notice and action mechanism of the Digital Services Act exists precisely for reports of illegal content, including scams.
The fourth move is a complaint to the authorities. For computer fraud or cybercrime there is an electronic route through gov.gr to the Cyber Crime Division, while the National Registry of Administrative Procedures also records telephone number 11188 and email ccu@cybercrimeunit.gov.gr. For commercial/consumer practices, such as a fake e-shop or non-delivery of a product, there is also the consumer complaint route at the General Directorate for Market and Consumer Protection.
Is the bank always liable?
Not always. But it also cannot reply mechanically that "you clicked the link, so the matter is over". In the Greek and European framework for payment services, there is specific treatment for unauthorised payment transactions. Law 4537/2018, which transposed PSD2, provides that in an unauthorised payment transaction the payer's payment service provider refunds the amount immediately and, in principle, no later than the end of the next business day after it was notified of or detected the transaction, unless there are reasonable suspicions of fraud that are duly communicated.
The critical word is "unauthorised". If someone stole your card details and made transactions without your real consent, the case is different from you sending money to an IBAN because you were persuaded that you were buying a product. In practice there are grey areas: phishing, fake e-banking page, OTP interception, telephone guidance by an alleged employee, remote access to the device. There, the actual facts need careful assessment.
Since 1 September 2023, the amendment of article 74 of Law 4537/2018 by Law 5019/2023 also applies for phishing cases. The provision keeps the rule limiting the payer's liability to 50 euros for specific unauthorised transactions, provides unlimited liability in cases of fraud, and adds a special framework for a consumer who acted with gross negligence, with a cap of 1,000 euros under conditions. The same provision also provides an exception from that cap if the provider proves that it has and applies additional, effective and more advanced control mechanisms for transactions that can cause damage above 1,000 euros.
In simple terms: the bank is not released from liability only because the customer was deceived. Nor, however, is the customer automatically entitled to a refund in every social media scam. What matters is whether the transaction was unauthorised, how the security credentials were used, whether there was fraud or gross negligence, what control systems the provider had, and how quickly it was notified.
Is the platform liable because it hosted the scam?
Here, calm is needed. Facebook, Instagram and TikTok do not automatically become the "insurer" of every loss that started from content on their platform. But in the European Union they are not mere bystanders either. The Digital Services Act sets obligations for online platforms, especially for very large platforms. The European Commission lists Facebook, Instagram and TikTok among the designated Very Large Online Platforms, with the list updated on 22 May 2026.
These obligations include, in general terms, mechanisms for reporting illegal content, advertising transparency, an internal complaint-handling system, cooperation with competent authorities and special risk assessment/mitigation obligations for very large platforms. In its own information material about scams, the European Commission stresses that platforms must inform the user about the outcome of the report and examine reports in a timely and diligent manner. It also states that if a sufficiently specific report about an obvious scam is provided, platforms must act quickly; otherwise, issues of liability and sanctions may arise.
In practice, this means that the quality of the report matters. If you simply press "report" without details, a good file may not be built. But if you send specific details, links, screenshots, a description of the scam, payment details and show that the same content continues to mislead users, then a clearer trace is created. This does not guarantee compensation from the platform, but it strengthens your position if you later need to prove that the platform was notified and did not act sufficiently.
Examples that show the difference
| Example | Possible legal reading | Immediate practical step |
|---|---|---|
| You see an Instagram ad for shoes at 80% off, pay by card on an external site and receive nothing | Possible consumer fraud/unfair practice. If the transaction was made by you, a refund from the bank is not always self-evident, but a dispute/chargeback may be requested where applicable | Card dispute, report the ad, consumer complaint, preserve the site and receipt |
| You receive a Facebook message from a friend whose account was ultimately hacked and you send money to an IBAN | The perpetrator is liable. A bank refund is harder if you gave the transfer order, but recall/freezing must be requested immediately where possible | Call the bank immediately, report to the Cyber Crime Division, inform the friend, keep screenshots |
| You click a link allegedly from Meta, provide passwords and then money leaves through e-banking | Possible unauthorised transaction through phishing. PSD2/Law 4537/2018, fraud, gross negligence and the provider's security mechanisms are examined | Immediate e-banking blocking, dispute, complaint, preservation of SMS/OTP/logs |
| A TikTok video promises quick profit from crypto, you enter a platform and transfer money | Possible investment scam. Criminal, consumer or supervisory dimensions may be involved, depending on who appears as the provider | Do not send additional money for "unblocking", inform the bank and authorities, keep wallet addresses/links |
| You reported a fake page/ad as a scam, but it remained active and deceived others too | Possible issue of compliance with platform obligations after knowledge/reporting. It requires evidence and specific legal assessment | Keep report numbers, platform responses, new screenshots and dates |
What evidence is needed
In cases like these, memory is not enough. A chronology is needed. Write in a file, with times and dates, when you saw the ad or message, what the account was, where you clicked, what you filled in, when the payment was made, when you spoke with the bank, what the platform replied and when you filed a complaint. If you change passwords or block a card, note that too.
Useful evidence includes:
- screenshots of the ad, profile, payment page and conversations,
- full URLs, not only images,
- payment receipts, IBAN, beneficiary, card number only with digits masked,
- SMS, push notifications, confirmation email, OTP without publishing it publicly,
- request numbers to the bank, platform and authorities,
- any platform responses stating that the rules were not violated or that the content was removed.
Do not publicly send screenshots showing full bank details, identity documents, passwords or personal data of third parties. The evidence must be preserved for the bank, authorities or lawyer, not posted without control.
Frequently asked questions
If I saw it as an ad, does that mean the platform "approved" it?
Not in the sense that it guaranteed the safety of your transaction. It does mean, however, that the content passed through some display/advertising system. If it is proven that it was an illegal or misleading ad, and especially if it was specifically reported but remained active, an issue may arise regarding the platform's obligations.
The bank told me that I entered the passwords myself. Do I lose every right?
Not necessarily. Entering passwords in a scam environment does not by itself answer everything. It must be examined whether the transaction was unauthorised, whether there was fraud or gross negligence, which strong authentication measures were applied and whether the provider had additional control mechanisms for suspicious transactions.
If I paid by bank transfer, can I get the money back?
It is usually harder than a card transaction, especially if the transfer was executed normally on your own order. Even so, you must inform the bank immediately, because in some cases recall, notification of the beneficiary's bank or account freezing may be requested through the prescribed procedures.
Should I speak first with the platform or with the bank?
First with the bank or payment provider, if there is a risk that more money may leave or that your details may be used again. In parallel, report to the platform and keep evidence. Do not wait for the platform's response before blocking a card or e-banking.
Where do I file an official complaint?
For cybercrime or computer fraud there is a route through gov.gr to the Cyber Crime Division. The National Registry of Administrative Procedures also mentions telephone number 11188 and email ccu@cybercrimeunit.gov.gr. For consumer protection and commercial practice issues, there is the complaint platform/procedure of the General Directorate for Market and Consumer Protection.
Do I need a lawyer?
Not for the first steps. Legal assessment is needed, however, if the bank rejects the dispute, if the loss is significant, if there are many victims, if the platform had been notified and did not act, or if claims/injunctions/criminal representation need to be examined.
Practical conclusion
In a scam on Facebook, Instagram or TikTok, do not look for a single "magic" liability. The scammer is the first responsible party, but often is unknown or hidden behind false details. The bank or payment provider may have refund or investigation obligations when we are talking about an unauthorised payment transaction, especially in phishing. The platform has obligations of reporting, transparency and diligent response, especially after specific notice of illegal content.
The victim's practical strength lies in speed and documentation. Block the payment instrument. File a dispute. Report the content as illegal or a scam, not generally. File a complaint with the competent authorities. Keep a chronology. And, if the loss is significant, seek individual legal advice before accepting a simple negative answer as final.
Legal and source notes
The above text is an informational draft and does not constitute individual legal advice. The final assessment depends on the payment method, the evidence, the provider's terms, the exact sequence of events and the legislation in force at the time of the incident.
Main research sources:
- European Commission, "Fighting online scams with DSA", on notice and action, scam reports and platform obligations: European Commission - DSA notice and action
- European Commission, "Supervision of the designated very large online platforms and search engines under DSA", update of 22 May 2026, with Facebook, Instagram and TikTok as VLOPs: European Commission - list of very large platforms
- European Commission, "How the EU protects you online", on advertising transparency and scam reporting: https://commission.europa.eu/topics/digital-economy-and-society/how-eu-protects-you-online_en
- European Commission, announcement of 30 April 2024 on formal proceedings against Facebook and Instagram under the DSA: https://digital-strategy.ec.europa.eu/en/news/commission-opens-formal-proceedings-against-facebook-and-instagram-under-digital-services-act
- TikTok, "Reporting Illegal Content", on the "Report Illegal Content" option in the EEA under the DSA: https://www.tiktok.com/legal/page/global/reporting-illegal-content/en
- gov.gr, complaints to the Hellenic Police for computer fraud: gov.gr - complaint for computer fraud
- National Registry of Administrative Procedures, "Complaint for cybercrimes": https://mitos.gov.gr/index.php/ΔΔ:Καταγγελία_για_εγκλήματα_κυβερνοχώρου
- General Secretariat of Commerce / Consumer Protection, official complaints portal: https://kataggelies.mindev.gov.gr/
- National Registry of Administrative Procedures, "Consumer complaint application": https://mitos.gov.gr/index.php/ΔΔ:Αίτηση_καταγγελίας_καταναλωτή
- Bank of Greece, Government Gazette Law 4537/2018 on payment services, articles 72-74 on proof of authentication, provider liability and payer liability: https://www.bankofgreece.gr/RelatedDocuments/%CE%9D_4537_2018_%CE%9184.pdf
- Law 5019/2023, article 22, amendment of article 74 of Law 4537/2018 on phishing and limitation of payer liability, effective from 1 September 2023: https://www.e-nomothesia.gr/sunegoros-tou-katanalote/n-5019-2023.html
- National Printing Office - official search for legislation and Government Gazette issues
Comments
Share your thoughts about this article.
No comments yet. Be the first to comment.
Submit a comment