Ofcom Puts UK's Biggest Social Platforms on Notice Over Scam Ads
Draft rules under the Online Safety Act would force Facebook, TikTok, YouTube and eight other platforms to proactively remove fraudulent advertising or face fines reaching 10% of global annual revenue.

The UK's communications regulator, Ofcom, published draft rules this week requiring the country's largest social media and video platforms to actively hunt down and remove scam advertisements rather than wait for users to report them first.
What Ofcom Is Actually Proposing
The draft measures sit under the Online Safety Act, a piece of legislation Parliament passed in 2023 that places statutory duties of care on internet companies operating in the UK. For the first time, Ofcom has named the services that fall into its highest-risk tier, called Category 1, and spelled out exactly what those firms must now do about fraudulent paid-for content.
The list is long and familiar. Facebook, Instagram, Pinterest, Quora, Reddit, Roblox, Snapchat, TikTok, WhatsApp, X and YouTube all sit in that top tier. Apple's iMessage, Meta's Messenger, Meta's Threads and Wikipedia are currently under review as possible future additions.
Oliver Griffiths, Ofcom's director of online safety, said publicly that platforms "can start making improvements for their users now" without waiting for the consultation to close. That is a pointed statement. Regulators do not usually issue reminders to act before rules are final unless they believe platforms have been moving too slowly.
The Numbers Behind the Problem
Ofcom's own figures, published alongside the proposals, are striking. More than half of UK adults have encountered potentially fraudulent adverts online. Over a third say they see such content frequently. This is not an edge-case problem affecting a handful of unlucky users. It is systemic.
A scam advert, for anyone who needs the definition, is a paid placement specifically designed to trick the viewer into surrendering money or personal data. Common formats include fake investment schemes dressed up as celebrity endorsements, copycat websites mimicking legitimate banks, and urgent messages fabricating prize claims. The criminals behind them are not using technical exploits. They are using psychology.
What Platforms Would Be Required to Do
Under the draft measures, Category 1 platforms would face four core obligations:
- Permanently ban users who post scam advertising content.
- Block those same users from creating replacement accounts on the same platform.
- Act quickly on reports of fraudulent ads, taking content down promptly rather than letting it age in a moderation queue.
- Build proactive detection systems rather than relying entirely on reactive complaint workflows.
The financial stakes are significant. Non-compliant companies face fines of £18 million or 10% of global annual turnover, whichever figure is larger. For a company like Meta or Alphabet, 10% of global revenue runs into the tens of billions of dollars. The penalty is structured precisely to be painful at scale.
The proposals remain in draft form and must pass through a formal public consultation before they carry legal force.
The Control That Has Been Missing
Scam advertising is, at its core, a social-engineering problem. Attackers do not need to breach a network or exploit a software vulnerability. They buy ad inventory, craft a convincing message, and wait for human psychology to do the rest. Urgency, authority and the promise of financial reward are reliable manipulation tools, and they work just as well in a paid Facebook post as in a phishing email.
The control gap here is not primarily technical. These platforms have sophisticated advertising review systems, but those systems have historically been optimised for compliance with content policies rather than for detecting fraud against end users. Proactive threat detection, the kind Ofcom is now mandating, requires a different posture. It means treating fraudulent advertiser accounts as threat actors, sharing signals across sessions and devices, and building detection models that flag behavioural patterns rather than waiting for a human to click "report."
For organisations whose employees use these platforms, this regulatory shift is a reminder that the social-engineering attack surface extends well beyond the corporate email inbox. An employee who clicks a scam ad on Instagram at lunchtime and hands over credentials to a fake bank site can create a credential-reuse problem that reaches inside a corporate environment by evening. Security-awareness training that covers social media fraud, not just phishing email, closes a gap that most corporate programmes leave wide open.
What This Means for Defenders and Users
Regulation is a floor, not a ceiling. Even after Ofcom's rules take effect, fraudulent ads will not disappear. Attackers adapt. They will probe for gaps in whatever detection system platforms build, just as they probe spam filters and endpoint controls.
The practical posture for both individuals and security teams should be:
- Treat any online advertisement that promises unusually high investment returns with automatic scepticism, regardless of how polished it looks.
- Verify any financial or identity claim made in an ad by navigating directly to the organisation's known URL, not by clicking the ad itself.
- Report suspicious ads using the platform's built-in tools. Under the new rules, that reporting data feeds directly into a compliance obligation platforms cannot ignore.
- Remind employees in regular security communications that social-media scam ads are a recognised threat vector, not just a personal inconvenience.
Organisations serious about aligning their awareness programmes with a structured framework can review how scam-ad resilience maps to broader controls at train2secure.com/standards.
The Ofcom consultation is open now. For security professionals who advise UK-based organisations, this is a reasonable moment to revisit whether your current awareness programme addresses social-engineering attacks that originate outside the email channel. The threat surface has widened. The training scope should match it. See how Train2Secure's pricing tiers scale with your organisation's headcount if you are ready to expand coverage.
How Scam-Ad Awareness Could Have Protected Your Organisation
- Train employees to recognise social-engineering tactics in paid social media content, not just in phishing emails, since the psychological triggers are identical.
- Run simulated scam-ad scenarios as part of ongoing awareness exercises to build scepticism reflexes before a real attack lands.
- Review your security-awareness curriculum against recognised frameworks to confirm social-media fraud is covered as a distinct threat vector.
Train2Secure offers awareness modules covering social-engineering attacks across every channel, including social media, so your team is prepared wherever the next scam appears.
Start free, no card requiredSources & further reading
Frequently asked questions
Which platforms are named in Ofcom's Category 1 list?
Ofcom has identified eleven services: Facebook, Instagram, Pinterest, Quora, Reddit, Roblox, Snapchat, TikTok, WhatsApp, X and YouTube. Apple's iMessage, Meta's Messenger, Threads and Wikipedia are under consideration for future inclusion.
How large could the fines be for platforms that do not comply?
Non-compliant platforms face a penalty of £18 million or 10% of global annual turnover, whichever amount is greater. For the largest platforms, the 10% figure is the binding one and runs into the tens of billions of dollars.
What should employees and individuals actually do about scam ads right now?
Do not click ads that promise high investment returns or demand urgent personal details. Navigate directly to the organisation's known web address instead. Use the platform's built-in report button for any suspicious ad, since that data now feeds into a regulatory compliance obligation.
Are these rules already law?
Not yet. The measures are in draft form and must complete a formal public consultation before they carry legal force. Ofcom has, however, signalled publicly that platforms should begin making improvements without waiting for final rules.
More on regulation

Senator Markey's AI Accountability Bills Take Aim at Hiring Algorithms, Data Centre Waste, and Worker Surveillance

Cyberbullying Claimed a Real Life: What the Death of Darrell Sheets Tells Us About Online Harm

