This week, at least two journalists said they received emails from someone posing as “Twitter Services,” urging them to provide some personal information to confirm their identity and retain their verified status. While this phishing email lacks the sophistication of others we’ve covered recently, the attack is noteworthy because the threat actor acted quickly to capitalize on speculations about the blue tick on Twitter. On Sunday, multiple news outlets claimed Musk plans to increase the cost of Twitter Blue to $19.99, citing internal documents. Just hours later, on Monday, the phishing emails reached the inboxes of their targets.
Twitter Verification Phishing Email
Journalists at TechCrunch and NBC News said they received emails that said the Twitter verification badge would cost $19.99 from November 2. However, they were given a chance to keep the blue badge “for free and permanently” if they confirmed their identity by providing some information. While the email looks like it’s from Twitter, there’s one telltale sign it is not—the sender’s address is twittercontactcenter@gmail. Also, clicking on a button in the email sends targets to a Google Docs page with a link to a Google Site. On this webpage, which spoofs the Twitter login page, targets are required to provide their Twitter handle, password, and phone number. TechCrunch said it informed Google about the malicious website, and it has been taken down.
Convincing Phishing Scams
While Musk claims the plan to charge a monthly fee for verification on Twitter would help to combat scams, it may have the opposite effect. There has been a notable rise in convincing phishing scams recently. Threat actors are orchestrating elaborate schemes to trick victims into handing over personal information. We’ve reported about such attacks recently, where threat actors impersonated companies like PayPal and Steam to scam victims. There’s a possibility cybercriminals would continue to launch phishing attacks to take advantage of Twitter users who want to retain their verified status or get verified. The best way to protect yourself is by learning how to spot phishing scams. Check any suspicious email for spelling errors in the sender’s address or the body of the email. Always double-check and confirm its legitimacy before complying with a request for your personal information online. Check out our in-depth article on phishing for more information.