There’s a range of Twitter phishing scams doing the rounds currently. You don’t have to tell me – I get at least one scam-tastic direct message every day! Lord knows how many you’d get if you had thousands of followers.
How it works
The mechanism is pretty simple. You get a direct message from someone you follow, encouraging you in some way to click a link. The techniques used to get you to click are the clever bit.
So you click on the link and it looks legit. Except it asks you to provide your Twitter ID and password. Obviously this is a bad idea. Well, I say ‘obviously’, but it’s not so obvious because heaps of people get caught. Even people who make a living on their social media expertise. Whoopsie!
Once you provide your password, the nasty scammers can log into your Twitter account and send direct messages to all your friends, supposedly from you, asking them to click on the link. Or possibly several different links, with several different enticements. A few of your friends fall for it and the cycle continues.
Presumably the hijackers could also use your details to send Tweets, supposedly from you, for various nefarious spammy purposes.
As I mentioned, the clever part is the way the scammers convince you to click the link, what security geeks call ‘social engineering’. It needs to sound like a plausible message you’d receive from a friend or someone you know, the enticement needs to be appealing to you and the link needs to look legitimate.
These started out fairly basic: things like ‘Hey, take this free quiz’ or ‘Hey. Can u do this for me?’ The ‘hey’ part makes it sound like a genuine message from a friend. In fact, the only thing that tipped me off was the fact that the message came from someone I didn’t know particularly well and it seemed overly familiar. If it had been from a real-life friend, I might easily have been fooled.
The next phase was an IQ test, with messages like ‘Want to check to see whos iq is higher?’ and ‘u seem smart. take this iq quiz.’ Appealing to people’s competitiveness and vanity always gets you places.
Today I received a direct message telling me someone had found me on a site called ‘xsgay’. You can imagine this would be of great concern to quite a lot of people, regardless of their personal preferences. And once you’re worried and not thinking clearly, you’re much less likely to fret about why this site is asking for your Twitter details, and just fill them in. Uh oh!
What (not) to do
As far as I understand, these scams have a fairly low success rate because they rely on you entering your ID and password, or at least clicking a link to provide those details to the scam site. But like spam and online banking phishing scams, a low success rate multiplied by millions of messages adds up to a sufficient number of people who get fooled.
So not getting caught out is fairly simple:
- Be suspicious of people contacting you at random – if it’s outside the normal pattern of behaviour, question it
- Don’t click suspicious links
- Don’t provide your ID or password to a site unless you know it’s trustworthy
- If your account gets hijacked, change your password as soon as you find out. And probably start apologising to a lot of people.