It is a relatively easy matter for someone to hack into the Facebook account of one of your friends. The hacker then sends you a message with a link that you trust because it appears to be coming from one of your friends. The link then takes you to a phony phishing page that appears to be a Facebook login page, where you insert your password to re-enter Facebook. You have now turned over your Facebook password to the identity thief. Once armed with that, the identity thief then has access to all of the information you have input into your own legitimate Facebook page, which often may have the information many of us use as security questions for services such as online banking. Since many people make the mistake of using the same password for everything, you have now provided the identity thief with both your bank account password and information necessary to answer your security question. At that point the identity thief has enough information to empty your bank account.
Use different passwords for different accounts and change them on a regular basis. When determining security questions, consider whether people would be able to readily access the information necessary to answer your security question from information that may be available online. Never click on links from strangers and never click on links from friends who may have been hacked until you have actually spoken to them to confirm that the link is from them. Even then you should exercise caution because your friend may have unwittingly be passing on a link tainted with malware. While on Facebook, if a link takes you back to a Facebook log-in page, immediately exit the browser. Do not type your password in.