"The message was, 'you've got to check out this pic I've found of the two of us,' with a link," said scam victim McGraw.
Amy clicked the link, and it brought her to a log in page.
She entered her password without thinking twice.
McGraw said, "Within minutes, that same direct message was sent to my entire address book."
Amy had been reeled in by a phishing scam, one of several targeting sites like Facebook, Myspace, and Twitter.
Internet security group Symantec says millions of people are being compromised.
Now, they have a warning, keep your eyes peeled, because hackers are using the holiday season as a way to grab your attention.
John Harrison of Symantec said, "They're trying to lure you into clicking on that link and opening up something so that your machine could be compromised, or tricked into paying money, or tricked into buying some software."
And even the savviest social media users are being fooled.
That's because these scams look like they're coming from friends and family.
One of the latest out there is "like" jacking, also known as "click" jacking.
"Have you ever seen one of those posts from your friend, and you go why did Joe post that? Joe could have been looking at football scores, or clicked on a link to watch a video, but behind the scenes what's happening is there's an invisible "like" button," said Harrison.
Clicking that invisible button will update your status with spam, or even change your privacy settings.
Another popular scam that can spread like wildfire is the questionnaire, or survey.
"They'll ask your name, your address, your phone number. They're then brokering that information and selling it to people," said Harrison.
Symantec also warns to be wary of shortened URL's because the full web site address is hidden.
Harrison said, "You may actually be taken to a site that silently infects your computer with malware."
And social media apps are all the rage, but some scammers are creating their own, "rogue" versions. They may look legit, but you're actually giving hackers access to your account.
"Look at the reviews, find out whether these are real applications before you install things, and watch the types of things that it's asking for," said Harrison.
Other ways to prevent an attack include making sure you have up to date security software, and using a different, complex password for each social media account.
Most importantly, think before you click.
"Be careful about links in e-mails or via message, especially if it may be out of someone's normal nature to share something like that," said Harrsion.
In the end, Amy changed her twitter password and took back control of her account.
She hopes others learn from her mistake.
"I was distracted, and that's all it took was just one moment of distraction for me to get hacked," said McGraw.
Symantec says changing your password is usually enough to get rid of the bad guys.
Then, run your security software to make sure you computer isn't infected.
Copyright 2016 Nexstar Broadcasting, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.