On Thursday night, Facebook was attacked by hackers for the fourth time this month. Who is behind the attacks isn’t known, but the malefactors appear to be using several old tricks–phishing, malware downloads, and other conceits–to get people to give up their Facebook password credentials, or trick them into buying things from suspect e-commerce sites.

Facebook has been attacked with phishing and malware in the past. But the increased incidence of the outbreaks suggests that they’re having more trouble controlling the phenomenon than before. Since hacking campaigns like these rely on fooling users, Facebook is a vulnerable target–with over 200 million people, the odds are at least a few will get tricked into giving up their information, allowing the hack to propagate and the people behind it to make money.

So how does this caper work? Facebook says it’s not an internal virus on their servers, but does that make sense with what we know? Why can’t these attacks be stopped quickly? And how do you avoid being ensnared? FastCompany.com grilled the experts, and their answers are below.

1. Who does this attack affect?

All Facebook users, Mac and PC owners alike. The scam sucks you in by taking control of a Facebook account and sending messages to all that person’s friends. When you click on the message from your friend, there’s a link inside; click it, and the trouble begins. Some of the links take you to malware sites, which will download a virus on your PC. Others take you to shady online retailers hawking Viagra or other suspect goods. In some variants of the scam, you are directed to a fake Facebook site that tells you that you’ve been logged out. Once you enter your credentials to log back in, they’ve tricked you into handing over the keys to your account. The scammers will then use your account to spam all your friends with the same message.

2. What’s the scam attempting to do?

Like most, these attacks exist to make the hackers money. According to Facebook spokesperson Barry Schnitt, the process works like this:”Once the phisher had control of some accounts, they tried to monetize by send out run of the mill spam,” the kind that gets you to buy pharmaceuticals or other junk, Schnitt explains. Once you opt to buy whatever they’re peddling, they’ve got all your contact info and your credit card number, and they can either sell that information to other miscreants or use it to engage in full-scale identity theft and fraud.

3. How does it work?

“With phishing attacks, the user is entering credentials on another site,” that looks just like Facebook, explains Chris Wysopal, founder and CTO of Veracode, a software security testing company. “Those credentials can then be used to log into Facebook and then post messages that advertise the phishing site to a person’s network. With malware, the user is tricked into downloading an executable which then steals the credentials–or an active session cookie–to advertise the malware to a person’s network,” he says.

4. Is this a worm?

“It’s a phishing attack. We haven’t seen any evidence of a worm,” claims Facebook spokesperson Barry Schnitt. The experts agree, based on what’s transpired so far, but they also note that it’s impossible to be sure without peering directly into Facebook’s network.