A new whitepaper from antivirus company Bitdefender examined 850,000 Facebook scams over two years, showing the psychology of those who get taken in and how Facebook's own user experience enables these scams to flourish.

In analyzing 850,000 scams spreading in countries such as the US, the UK, Australia, Germany, Spain, France and Saudi Arabia since October 2012, the researchers found that scammers have infected millions of users with the same tricks over and over again -- just repackaged.

Bitdefender's study found out that there's no such thing as a typical Facebook scam victim -- instead, Facebook scams rely on five kinds of user experience clickbait that are products of, and work in concert with, Facebook's psychological fabric.

Problem: No one can tell Facebook from a scam

The top five tricks rely on a combination of the obsessions encouraged inside the Facebook experience, and user confusion within a system that is so ever-changing and complicated, users would be none the wiser that a given scam isn't just a new "feature" or another of Facebook's psychological experiments being done on users.

The psychologists and researchers behind Bitdefender's whitepaper showed the five most popular categories of scam-bait to be:

Guess who viewed your profile (45.5 percent)

Facebook functionality scams, such as 'change your background color' (29.53 percent)

Giveaway scams (16.51 percent)

Celebrity scams; alleged sex tapes of Rihanna, Miley Cyrus and Taylor Swift (7.53 percent)

Atrocity videos (0.93 percent)

The top two scam styles prey on a general lack of understanding about Facebook’s functionality -- which, as most users know, is a constantly moving target.

Nearly half of the millions of people scammed on Facebook fell prey to the kind of obsessive curiosity the social network encourages: people who just want to see who looked at their profile.

"The most popular Facebook scam offers users the chance to see if they are still searched by a person for whom they may still have feelings for," the researchers wrote. "The 'profile viewer' message is customized, touching them on a personal level."

About one in three Facebook scams fool victims with features that Facebook doesn’t even have, such as dislike buttons and timeline color personalization.

Facebook functionality scams – almost a third of the total number of scams – are based on the increasing importance of social network profiles and experience. The need to embellish your avatar is the universal need of managing one’s image. Any additional feature is viewed as a possibility to make one’s image and experience even better. All it takes for users -otherwise very sharp offline - is the lack of know-how regarding social networks and their features.

Disturbingly, Bitdefender's researchers added:

Though less present, the last two categories of Facebook scams are growing at a steady pace. Celebrity sex tape scams and atrocity news (such as murders and child abuse) are attracting thousands of victims with every new campaign, as they also "include" alluring videos. (...) Children and teenagers are the most exposed to atrocity video scams, and we expect their number to intensify in the future.

Facebook temporarily banned the posting of beheading videos in May 2013, but lifted the prohibition in October of the same year, stating it would continue to allow such videos if they are presented as news or in a fashion that condemns them. The social media giant recently faced renewed scrutiny over the policy in light of recent events highlighting the rise of violent extremism.

Special Feature Why business leaders must be security leaders Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap. Read More

We're used to assuming that the people falling for clickbait scams are just not very smart.

But Bitdefender's findings show that users falling for Facebook scams are simply falling for their expectation of Facebook's user experience -- and it's not their fault.

Facebook scams are big business; a number of Facebook scams make their money through Trojans that snatch bank and browser passwords.

One famous scam -- the so-called Nigerian scam (now expanded beyond the typical email campaigns) -- alone cost $12.7 billion in global losses in 2013, according to an Ultrascan AGI report. Bitdefender's Security Specialist Bianca Stanescu tells ZDNet we can "expect Facebook scam losses to be even higher."

It sounds like a sick punchline, that Facebook's users can't tell what's Facebook and what's a malicious scam. But in light of Bitdefender's surprising report showing the scams are hitting everyone, it's becoming costly, only growing worse, and it's victimizing every kind of user.

For more information about the psychology at work in scams that target Facebook users, check out Bitdefender’s whitepaper.

ZDNet has reached out to Facebook for comment and will update this post accordingly.