Users on Twitter have been receiving messages purporting to be from “Twitter Support” urging them to act quickly to avoid suspension, often even from users with a blue check. But these are almost certainly scams — here’s what to look out for and what it would look like if Twitter actually needed to contact you.
First, it should just be mentioned as a general rule that any message from anyone you don’t know on any platform you use should be viewed with suspicion. Do not follow any links or instructions, and if you’re at all unsure, take a screenshot and send to a friend for help!
On to today’s problem: DM spam.
This type of trick goes by various names depending on what the scammers are after. It might be garden variety phishing, and they’re trying to trick you into divulging personal or financial information. But it could be a more sophisticated, long-term plan to get access to high-profile accounts.
It works like this: First you do a bit of spray-and-pray-style messaging to get a few people to click through to one of many methods of getting their credentials, whether it’s social engineering (“Please verify your current password”) or a fake app (“Please update Tw1tter”) or some more serious device-level takeover. This nets the scammers control over a handful of real people’s accounts.
Example of a scam DM from a hacked verified account. Image Credits: Devin Coldeway (screenshot)
Using these accounts, they spam DMs further, using the accounts’ legitimacy to mask their nefarious doings. This nets them more accounts, and if they’re lucky, they’ll springboard to higher-profile ones, like a verified account the user follows who has their DMs open.
Once they have taken over a blue-check account, they might change the name to something like “Urgent Support” and start sending out legitimate-looking warnings to the no doubt thousands of followers such a user will have.
Here’s how to spot a scam and protect yourself. One message a TechCrunch reporter received today from a verified account went as follows:
Twitter Support | Violation
We’ve detected a lot of suspicious login attempts on your account lately.
We care about the security of verified accounts.
Your account will be suspended within 24-48 hours for security reasons. If you are not doing this, you must submit an appeal form to us so that your account is not suspended and we can review it.
[link to innocuous looking non-Twitter domain]
In any case, we will contact you again through this channel.
Thank you for your understanding,
Twitter Help Account.
A lot of people will see the verified account, a bit of boilerplate-looking warning text, and just hit the link. How should they know what a Twitter suspension warning looks like? They’re not internet sleuths, and frankly they shouldn’t have to be in order to keep their account safe, but this is the reality of social media today.
Fortunately it’s very easy to spot a scam, and you can protect yourself with the following steps.
Image Credits: MicrovOne/Getty Images
First, there are a couple red flags with the message itself.
So what should you do if you get a message that looks scammy? The safest thing is to ignore and delete. If you want, you can report it to Twitter using the directions here.
The single best thing you can do to protect against scams like this is to turn on two-factor authentication., sometimes called 2FA or MFA (multifactor authentication). We’ve got a whole guide for it here:
How two-factor authentication can protect you from account hacks
2FA will be in your Twitter security settings, and in the security settings for lots of your other online apps and services as well. What two-factor authentication does is simply check directly with you via a secure “authenticator” app that asks “Are you trying to sign into Twitter?” If you see that message and you’re not signing into Twitter, something’s up!
When you do want to sign in, it will ask you for a number generated by the authenticator app that only you can see, or sometimes via text (though this method is being phased out). These numbers should only be entered at the login screen and never, ever told to anyone else.
If you have 2FA enabled, then even if you accidentally give some login info to a scammer, when they try to log in it will check with you to make sure. This is an incredibly helpful thing in today’s dangerous cybersecurity environment!
That’s all — now you and anyone you care to tell won’t get scammed on Twitter this way. If you want to further boost your cybersecurity prowess, check out our Cybersecurity 101 series.
Cybersecurity 101: How to protect your online security and digital privacy