Phishing on Facebook usually involves a hacker posing as a familiar individual or respectable organization, and asking for a user's personal data, usually via a wall post or direct message.
Often, users will be directed to click on a link. Once they do so, their computer may be infected with malware, or they may be directed to a website that offers a compelling reason to divulge sensitive information.
A classic example would be a site that congratulates its victims for having won $1,000 and prompts them to fill out a form to collect their prize -- a form that requests credit card, bank account or Social Security numbers, which can then be used by the fraudsters.
Also becoming increasing common, warns Milbourne: "spearphishing," a practice that uses the same basic idea but targets users through their individual interests.