Skip to content
Programming Glossary
Dark Patterns Database
Friend Spam Dark Pattern — What It Is & Examples

Friend Spam Dark Pattern — What It Is & Examples

DodaTech Updated Jun 20, 2026 4 min read

Friend spam is a dark pattern where a service gains access to a user’s contact list, social graph, or address book and then sends unsolicited messages to everyone in that network — often without the user’s knowledge or explicit consent. The messages appear to come from the user (“Join me on this app!”) but were never authorized by them. This pattern exploits the trust between friends and family to grow the service’s user base through deceptive viral marketing.

How It Works

The pattern relies on vague or misleading consent flows. During sign-up or onboarding, the service presents a “Find Friends” screen with a button like “Access Contacts” or “Connect with Facebook.” The primary action is brightly colored and inviting, while the “Skip” option is small, gray, or hidden behind a “Not now” link. Once the user grants access, the service either imports contacts and sends invites without further confirmation, or pre-checks a “Send invites to all” checkbox that the user must manually uncheck. Some services send messages that appear to be personal (“Check out what I just made!”) when in reality the user has never seen the message content.

Real-World Examples

A new social network prompts: “Invite all your friends to join you on SocialApp!” Below the prompt is a checkbox labeled “Send invites” that is checked by default. The “Continue” button is bright blue and prominent. The “Skip this step” is 10-point gray text at the bottom. Most users click “Continue” without unchecking the box, and the app sends invitation messages to everyone in their contact list — including people they do not wish to contact.

A food delivery app asks for permission to post to the user’s Facebook wall: “Share your first order!” The default is set to “Post to Facebook.” After the first order is placed, a post appears on the user’s wall: “I just ordered from FoodFast! Get $10 off your first order using my link!” The user never saw a confirmation screen with the post content — the app posted automatically using the permission granted during a quick onboarding flow.

A messaging app imports the user’s entire phone contact list and sends SMS messages: “Your friend [Name] is on ChatApp! Install now to chat with them.” The app sent these messages without showing the user who it was contacting or asking for confirmation per message. The user’s contacts perceive them as having personally recommended the app, damaging the user’s reputation when they had no part in the decision.

Why It’s a Dark Pattern

Friend spam violates two core ethical principles: consent and privacy. The user’s contacts did not consent to receive marketing messages from the service, and the user did not consent to having their name and relationship used as a marketing channel. The pattern also damages the user’s personal relationships — contacts may feel spammed by someone they know, leading to irritation, embarrassment, or even broken trust. Regulators have taken action: the US CAN-SPAM Act and similar laws in other countries apply to these messages, and Facebook was fined billions by the FTC in part for practices related to unauthorized friend data usage.

How to Spot It

Watch for “Find Friends” or “Invite Contacts” screens during onboarding that make the “Skip” option hard to find. Check whether checkboxes for sending invites are pre-checked. Look for wording that asks you to “share with friends” rather than explicitly asking permission to send messages. If a service asks for access to your contacts, pause and ask: does this app actually need my contacts to function?

How to Protect Yourself

Never grant contact list access during onboarding. Use the “Skip” or “Not Now” option — you can decide later whether to invite specific people. On iOS, you can grant or deny contact access at the system level through Settings > Privacy > Contacts. On Android, use the app permission manager. If you have already granted access, revoke it in system settings. Check your connected apps on Facebook and Twitter regularly and remove any that have posting permissions. If a service sends spam on your behalf, report it to the platform and to your data protection authority.

FAQ

Is friend spam illegal?
It can violate anti-spam laws (CAN-SPAM in the US, Privacy and Electronic Communications Regulations in the UK/EU). It also may violate platform terms of service. The FTC has taken enforcement action against companies that send unauthorized friend invitations.
How do services get away with this?
The messages are often framed as “invitations” rather than commercial messages, exploiting legal loopholes. Terms of service typically bury the permission in dense legalese. Many users don’t realize the messages were sent at all until a friend mentions it.
Can I stop messages already sent on my behalf?
You can post a public clarification if the messages went to social media. For SMS or email invites sent without your knowledge, contact the service’s support and request that they stop. Unfortunately, the damage is usually done by the time you discover it.

Related Dark Patterns

Forced Action Hidden Cancellation

Previous Nagging Dark Pattern — What It Is & Examples Next Roach Motel Dark Pattern — What It Is & Examples

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Dark Patterns Database