.

Web Business by Ken Burbary

Web Marketing, Social Media, Web Technology

Web Business by Ken Burbary header image 2
Mine the Gold in Social Media through Conversation Search Social Media’s Mount Everest, Helping Toxic Brands

Practical Guide to Avoid Twitter Phishing Scams

January 4th, 2009 · Comments · Social Media, Twitter

twitter

As an online network grows, it eventually attracts enough eyeballs to warrant the attention and efforts of spammers and scammers. Twitter has both. Over the last several days,  Twitter has been hit hard by a Phishing scam. The only surprise is that it took this long to occur.

The Wikipedia definition for phishing is:

“the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.”

While Twitter Phishing seems to make less sense than email Phishing to harvest bank account info, or some other confidential information, it can certainly still cause headache for the Twitter account owner.  So, it’s an appropriate time for some practical advice on how to protect yourself from falling prey to such scams.

  • Do not click on any links contained within Direct Messages – This is difficult because we use DMs to share so much information, particularly links. Send an @ reply to the sender of the DM asking for confirmation if you’re not certain the link is legitimate
  • Do not follow any of the instructions contained in a suspicious Direct Message – Don’t follow the link (see above). Don’t reply back with any information that may have been requested by someone if you’re not sure. Sending a reply with details via email is a safer alternative.
  • Notify Twitter – Report the hijacked Twitter account so the it can be properly restored to the rightful owner. Also, Techcrunch has written a post with details on how to report Twitter spammers/abusers
  • Delete the Direct Message
  • Alert your network - Send a public Tweet notifying others about the hijacked account
  • Rotate your Twitter password – You may want to think about incorporating this practice into your normal routine. With so many Twitter tools and services online, you’re taking on elevated risks every time you authenticate to Twitter Karma, Tweetree, Twitterfone, etc…  (I am a big fan and trust these sites, but the risk exists regardless). Anyone can create a “Twitter tool” that requires passing your username and password to the Twitter API. Trusting that everyone who does will protect you and not capture/keep your password is asking too much. Proactively protect yourself by changing your Twitter password regularly (You decide how often, but monthly isn’t a bad idea). In addition, make sure your Twitter password is unique. Never use the same password that you use for email, network access, bank account access, etc… Good identify security is about having strong layered defenses. Don’t put all your accounts at risk by using the same password universally.

UPDATE: Added these tips from Twitter user Axel Schultze

  • Don’t retweet a clickeable BAD LINK. put a space between http:// and the rest if it.
  • Never retweet a link that you haven’t clicked yourself.

What did I miss? Feel free to add any additional tips in the comments and I will update the post crediting you.

Share and Enjoy:
  • Facebook
  • del.icio.us
  • TwitThis
  • Digg
  • StumbleUpon
  • Sphinn
  • Mixx
  • LinkedIn
  • Google Bookmarks
  • E-mail this story to a friend!

Tags: ··

  • If you use Google Chrome, the sites been reported as a phishing site, so it doesn't show for you even if you click it. Kudos to Google Chrome for having that feature built in.

    Nice round up of tips too. I was also surprised that it took so long for the phishing to occur.
  • Oh please, Ken, there's nothing wrong with clicking links. The important part is don't enter your personal information into websites where you haven't visited before and/or where a Google/Twitter search indicates contrary advice.
  • jimgray69
    Dude!Thanks for the info!
  • Excellent advice that can't be discussed enough. Some of us will take this info for granted and forget there are those not yet aware of scam and spam potentials. Thanks for making the explanation simple and to the point.
  • Use common sense. If you're in Twitter (or a Twitter service like Twhirl) and you click a link that then asks you to sign in to Twitter (which you were already signed into) don't do it. Also look at the URL, If it's not twitter.com (or what ever it's pretending to be) then don't use it. If you have signed into a site at least once then you know it's www.siteilike.com and not siteilike.signin-access.com
  • Just FYI none of the tools you mention (Twittergrader, Qwitter, Twittercounter) are a risk since they don't ask for your password.
  • Thank you for pointing that out. I've updated the post to reflect only 3rd party Twitter sites that ask for both username and password
  • Cool, Ken. You might also want to re-phrase the part about notifying Twitter so the offending accounts can be blocked or deleted. Many of the accounts are "normal" twitter users who have no idea their account has been hijacked. (It's similar to spammers sending email from any email account they want.)

    If you get a DM, you might try sending them an @ message to see if they reply, letting them know they should change their password. That should fix it for them.
  • Noted. And updated. Thanks for helping improve this guide.
  • DON'T notify twitter in the present case! Notify the poor person who only has to change their password to take back control
  • Notifying them the account has been hijacked, so they can work to restore it. Not to label the account as Twitter spam
  • Hey Ken, I meant to say thanks for this post as I sent this to many of my Tweeps as they wondered about all the weird activity going on in the Twitterverse. So thanks and see you at the next Tweetup!
  • What am I doing ?
    Good question !
    I am helping my patients get better through chiropractic.
    Dr.David Black
    www.blackchiropractic.com.au
blog comments powered by Disqus