Beware sophisticated Twitter phishing scams

Beware sophisticated Twitter phishing scams

Summary: A phishing scam targeting Twitter users is sophisticated and dangerous. Here's how to protect yourself.

TOPICS: Security

As most ZDNet readers know, phishing scammers find ways to forge emails from legitimate sites, hoping to get your personal details such as name, social security number, password, and so on. These forged emails often appear to come from financial institutions, so the scammer can access your bank account.

The latest variant of this scam uses a hijacked Twitter account to send out direct messages that appear completely legitimate. Then message contains a link that sends the recipient to a Twitter log-in page, which again appears absolutely real. However, in this case, that log-in page is actually hosted by identity thieves and not by the real Twitter company. In other words, it's a fake Twitter site.

Here is an image of a fake direct message I received this morning (the sender's identifying information is blurred):

Twitter phishing email DM
(Screenshot by ZDNet)

When you click the link, it takes you to this page, which looks completely legitimate to the casual observer:

twitter phishing login
(Screenshot by ZDNet)

Although this page looks and feels entirely legit, it is not. If you enter your Twitter username and password into this site, you will become a victim of identity theft; the thieves will then control your Twitter account.

Protect yourself

You can take steps to help avoid falling prey to this kind of scam:

  1. Do not click links within emails. If you don't click a link, then you can't get caught in the phishing web.

  2. Look closely at any web address that asks you to enter personal information.

  3. In this case, the page looks real but there are subtle signs of forgery. Here is a larger view of the page address:

    Twitter phishing address
    (Screenshot by ZDNet)

    Although the site looks and feels like the official Twitter page, in fact it is not Twitter at all--look closely and you can see the spelling is not "Twitter" but "iwltter." The thieves cunningly chose a sequence of letters designed to mimic Twitter at first glance.

  4. Consider the context of the message. Suspect any message that does seem right. In this case, I hardly know the sender so the message immediately looked out of context and suspicious to me.

  5. Be especially careful on tablets and phones because the fake address may be almost illegible on the small screen of a mobile device. If you aren't absolutely certain of the source, then don't click the link. If necessary, go to a desktop computer where you can more easily see details of the address.

Phishing is a growing problem that you must take seriously. The scammers have become more sophisticated in mimicking legitimate sites, so give those links an extra level of scrutiny before you click.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Identity theft

    Securing our personal information on social media is important to prevent the risks of Identity theft. Just came across an informative whitepaper on ID theft " Wire fraud and Identity theft : Risks and prevention for Banks and consumers”, which readers will find it very helpful @
  • Every company has the means to identify and stop this problem...

    Anyone concerned their company is at risk should contact Message Bus as we provide a free report to enterprises to identify if their brand is being hijacked by malicious email senders in the manner you highlight. We also offer a paid service for outbound email which ensures each and every email sent is verified, authenticated, and filtered based upon policy established by the enterprise, effectively putting a stop to a company being hijacked and exposing their customers to malware / phishing risks. Thanks for highlighting this issue as most companies have no idea the harm they are causing their customers and their brand reputation - and a fix exists! (
  • Beware sophisticated Twitter phishing scams

    If its sophisticated we know Loverock Davidson or Toddbottom3 couldn't have created it..................
    Over and Out
  • Easy to avoid

    Avoid twitter ... in any spelling :)
    if not
    then avoid any URL only tweet/email/facebook comment etc
    Da Womby
  • Somebody stole my identity last week...

    Today they showed up at my door and pleaded for me to take it back...

  • Social Media Scams

    This isn't just about businesses Ken

    Social media, online databases and our “connected” lifestyle has made it easier than ever for criminals to use technology to steal identities, money, and data from unsuspecting users. Here are some of the most prevalent technology scams of 2012, so you don’t fall victim to these tricky ploys.

    To protect yourself, never allow an unknown party access to your computer. If you get a call from someone claiming that your computer as doing anything – be it transmitting a virus, downloading copyright-protected content, etc… - immediately hang up and call your trusted computer repair company. Remote computer repair is a great tool, but only in the hands of a reputable repair professional.