As everyone has surely heard by now, Elon Musk has bought Twitter.
Numerous verified Twitter users have reported receiving phishing emails from fraudsters, purporting to be a legitimate message from the website.
The emails warn users that their "Verified" status - a coveted blue and white tick badge displayed alongside their name - will have to be paid for on a monthly basis, unless they can "fully verify [they are] famous or well-known."
Don't lose your free Verified status,
The verification badge will be $19.99 per month for some users after November 2, 2022. These users are users that we cannot fully verify are famous or well-known people. You need to give a short confirmation so that you are not affected by this situation. To receive the verification badge for free and permanently, please confirm that you are a well-known person. If you don't provide verification, you will pay $19.99 every month like other users to get the verification badge.
The phishing email builds upon widely-publicised statements made by Elon Musk that he will be introducing a paid-for verified account scheme in the coming days. It was initially reported that Musk plans to charge $19.99 per month for a so-called "blue tick" (it's actually white on a blue background), but following an altercation with horror author Stephen King he appears to have settled on an $8 monthly fee.
Here is the problem. Everytime Elon Musk says something it makes headlines news, and Elon Musk says a lot of things...
The world's richest man's plans for the news junkie's favourite social network inevitably get a great deal of attention. Not everyone will be aware of the details of what Elon Musk might be planning for Twitter, but they will certainly be aware that it's a hot topic.
And so if a Twitter user receives a message claiming to be about their verified account, they may very well believe it... and that makes them more susceptible to falling into a trap.
In this case, as TechCrunch journalist Zack Whittaker describes in a series of - you guessed it - tweets, it's not the most sophisticated example of a phishing attack ever seen.
Clicking on the link doesn't take the unsuspecting user to a webpage hosted on the official Twitter site, but instead takes them to a page hosted on Google Forms which blatantly requests the victim enter their username, password, and phone number.
Google has now taken down the phishing page, but I don't for a second imagine this will be the last phishing attack to exploit the current turmoil on Twitter.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.