The consumer champion says it discovered 50 scam profiles, pages and groups across Facebook, Twitter and Instagram with clear evidence of blatant criminal activity.

This included advertising stolen identities, credit card details, compromised Netflix and Uber Eats accounts and even fake passports made to order. All were found easily by searching simple, barely disguised slang terms for fraud.

The investigation was carried out before the outbreak took hold in the UK - highlighting how lax measures to prevent the trade of personal and financial information on these platforms could be exploited by criminals looking to take advantage of the crisis.

For instance, the investigation uncovered an alarming post on one illicit Facebook group, detailing the full identity of a man in Yorkshire. His full name, date of birth, address and mobile number were all listed alongside complete financial information including his credit card number, CVV number and expiry date, sort code and the name of his bank.

The post had already been up for four months when it was spotted by Which?, and the details were even being given away for free, potentially as a tactic designed to prove the seller’s credentials for future deals.

Meanwhile, one fraudster on Twitter offered full credit card details of someone with a ‘£13k+ balance’ for £100, or three sets of card details for £200. Another offered a phoney passport for £3,000, which could have potentially been used as proof of ID to open bank accounts and credit cards.

Twitter’s algorithm also made it all too easy to find criminal ID sellers, says Which? After searching for and viewing such accounts, the site suggested following ones offering similar services through its “who to follow” section.

In addition, Which? found Instagram users sharing price lists detailing how much it would cost to acquire full identities, as well as ‘fraud bibles’. These comprehensive how-to guides for novice hackers and scammers explain how to create fake identities and use stolen card details.

All 50 of the groups, pages and profiles were reported to their respective social media platforms via their in-site reporting tools. While Facebook removed a few isolated posts that Which? reported, when a researcher checked six days later, it had allowed every page and group to remain. Instagram and Twitter had not removed any content at all.

Jenny Ross, Which? Money Editor, says: “It’s astonishing that social media sites make it so easy for criminals to trade people’s personal and financial information, particularly as fraud is such a prevalent crime that can have devastating consequences.

“Social media firms must take much stronger action to prevent their sites becoming a safe haven for scammers, and should work with the financial industry and police to address serious flaws with their platforms.”

Katy Worobec, managing director of economic crime at UK Finance, says: “Criminal gangs are continuing to exploit social media platforms to commit fraud, whether it’s selling stolen identity and card data, recruiting ‘money mules’ or targeting the public with coronavirus scams. Every part of society including social media companies must play their part in protecting innocent victims and preventing money getting into the hands of criminals.”

In a statement, Facebook says: “Fraudulent activity is not tolerated on our platforms, and we have removed the groups and profiles flagged to us by Which? Money for violating our policies. We continue to invest in people and technology to identify and remove fraudulent content, and we urge people to report any suspicious content to us so we can take action.”

Responding to the results of the investigation, Twitter states: “It is against our rules to use scam tactics on Twitter to obtain money or private financial information. Where we identify violations of our rules, we take robust enforcement action. We’re constantly adapting to bad actors’ evolving methods, and will continue to iterate and improve upon our policies as the industry evolves.”