It's easy to protect yourself against this Messenger spear-phishing scam, but you need to be alert at all times.
First, simply refuse to give anyone your online credentials. It's easy to get lulled into a sense of safety, especially when you're texting or messaging someone you think is your friend. Make it your mission to never share your online credentials with anyone.
Second, and most important, set up two-step verification on Facebook and other accounts. This adds a level of protection on top of your password to keep people out of your accounts.
Often, two-step verification is a code sent to your cellphone. Facebook, Google, Microsoft, your bank, and other companies will send you a unique code to get into your account.
Here's how to set up two-step verification on Facebook: Click on the down arrow on the far-right side of your Facebook home page >> Settings >> Security >> Login Approvals >> enable Facebook's Two-Factor Authentication.