Elon Musk's ascension isn't the first thing to cause waves of scams on Twitter, and it certainly won't be the last. On July 20th of 2022, data belonging to over 5 million Twitter users was put up for sale on the internet underground for $30,000. The FTC reported that we've experienced a recent "gold mine for scammers" and the April bump to a 10,000-character limit (for Twitter Blue) only makes things more interesting.
Any digital watering hole is a place where scammers will congregate, hoping to blend into the crowd and pick a few pockets. Well, it's been working. Here are a few of the most salient threats users should watch out for in 2023 if they want to continue to Tweet safely.
And, what an organization can do if they don't.
5 Twitter Scams in 2023
The end goal of phishing is for an attacker to obtain your login credentials, money, or sensitive information, and Twitter offers a multitude of avenues for an enterprising phisher.
A spoofed Twitter account could post a link to a malicious website, saying the information is gated and the user needs to enter their information to read. A legitimate account could do the same thing, sending a message or creating a post with a bad URL designed to steal the user's credentials. Or real and fake accounts alike can utilize direct messages to send requests for account verification, cryptocurrency investments, sales deals (for fake online stores) or illegitimate job offers. Always investigate the sender's profile and try to confirm suspicious behavior on another of their social media accounts – or stay away entirely.
We've all seen them, read about them, or been spoofed by them: spoofed accounts. It's a regular Wednesday and suddenly Jeff Bezos is doubling all Bitcoin contributions sent to his personal address. Or LeBron James’ son is hitting up his followers for personal information in a Tweet. Or Elon Musk is amped about yet another cryptocurrency opportunity. It gets sketchy.
One thing is certain. After a teenager hacked Bill Gates’ Twitter account several years ago, it’s clear that it can happen to anyone. Users need to resist the urge to act on impulse, filter extraordinary claims through a lens of common sense, and check how the account got verified: If the account was verified by Twitter, you can be more confident of its authenticity. If it is only the mark of a paid Twitter Blue subscriber, watch out.
Twitter verification scams are a popular exploit in themselves. Knowing the draw of the popular blue check mark, scammers pretending to be Twitter offer to verify the account of an unsuspecting user. Honored, the user submits the necessary information (usually login credentials) and ends up handing sensitive information over to a malicious third party.
There are only two ways to be ‘verified’ on Twitter. One is the “old way”: to prove yourself notable or influential in some way (in entertainment, government, business) and receive the blue check straight from Twitter. The other is the recently released “new way”: purchase a subscription to Twitter Blue.
Fitting hand-in-hand with bot scams, crypto scams are rife on Twitter. We’ve all seen them (and some more than others, Elon) and have come to spot the signs.
In one discouraging study, bots were estimated to represent around 5% of Twitter’s users but created up to 29% of the content. Yikes. While bots in themselves are not inherently malicious, their ability to imitate human behavior makes them useful for disseminating false information, persuading users to click on dangerous URLs, and otherwise duping victims online. A bot will spam links in replies to Tweets or send unsolicited direct messages with unsolicited offers or requests.
Another rising exploit is the Twitter banking scam. A genuine, disgruntled user will post a dissatisfied Tweet and tag the name of the bank. Then, the scammer will spin up a fake account, posing as a representative of the tagged bank and post in the comments something like, “I’m so sorry for your experience. Click the link to call and we’ll get your issue resolved.”
The user will then call the phony number, speak to the fake representative, and hand over real banking information.
How Companies Are Staying Safe
What an employee does online, even with a personal account, can have ripples throughout an organization. More employees are using personal devices for work (and vice versa), logging in to corporate networks on their phones, or interfacing with cloud-based storage systems for work, play, and every day. This widens the attack surface and exponentiates the amount of damage a Twitter scam can cause. Bad actors know this, and they also know that many people let their guard down on social media. This makes social media platforms like Twitter the ‘weakest link’ in overall network defense.
Organizations can stay ahead of clever Twitter threat tactics by leveraging the right tools, training, and talent. Taking advantage of security awareness training can level up employees’ online instincts, making them more social media savvy when it comes to dupes. Security configuration management solutions make sure enterprise security solutions are running at their full capacity and file integrity and change monitoring tools ensure that even if a scammer did illicitly obtain credentials, their nefarious behavior once inside would get caught.
By creating defense-in-depth strategies, organizations can fight inevitable Twitter scams with measures they can control. For more on how Tripwire can help your organization defend against the aftermath of a social media attack, click here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.