Smartphones talking

Elon Musk’s plans to charge for Twitter verification opens the door for phishing

Verification on Twitter is a confused tangle of policy with no clear direction with regard to what it wants to be. Originally created in 2009 after an imitation account was not to Tony La Russa’s liking, it has served many purposes down the years. Is it a mark of celebrity, of authority in a particular field, a way to ward off imitation accounts, or an uneasy mix of all three?

Your guess is as good as mine, but recent suggested changes to how verification works has thrown things into chaos and also nudged a scam into the wild.

Want to be verified? Crack open the piggy bank

Soon after Elon Musk took control of Twitter, rumours swirled that verification was intended to be rolled into the $5 a month Twitter Blue service which adds additional features to the social media experience. Now that figure has hit anything up to $20 a month and nobody seems to know quite what is happening, especially as Elon was yesterday  haggling with Stephen King for some reason:

All of this uncertainty over currently verified accounts alongside whatever is going to happen down the line for new ones could only ever result in one thing: scams.

A “keep your verified status free” fakeout

TechCrunch says that Twitter’s “verification chaos” is now a security problem. I’d agree, with the caveat that it has always been a problem. Scammers target verified account owners, and have done so for years. This is simply another string to the chaos bow, if you will.

Multiple reports of an email based phishing campaign have come to light.

It says:

“Don’t lose your free verified status

The verification badge will be $19.99 per month for some users after November 2, 2022. These users are users that we cannot fully verify are famous or well-known people. You need to give a short confirmation so that you are not affected by this situation. To receive the verification badge for free and permanently, please confirm that you are a well-known person. If you don’t provide verification, you will pay $19.99 every month like other users to get the verification badge.”

There are going to be an awful lot of people who have zero desire to pay $240 a year to retain a verification mark, and I’ve yet to see a badge owner state that they’d pay this regardless of whether or not they’re high or low profile. It makes sense that some folks would be tempted by this email “offer”, especially if it was particularly difficult to obtain the verified status in the first place.

Twitter scams: tricky to predict

At this point, nobody has any real idea what will happen for people who have a badge versus people wanting to get one in the near future. Maybe the fee, if it appears, will be cheaper for people who’ve had a badge for a long time or will differ by industry. Maybe some folks will be grandfathered in and not pay anything. Perhaps it’ll be cheaper to renew than obtain a new one. We simply don’t know, but what we can say for certain is that more verification scams will be along for the ride as changes to the verification route start to take shape.

We don’t know if Twitter will notify people by email, or if the notification will occur on the website or app itself. As a result, we can’t say for sure that a mail mentioning what you have to do next will be fake or not. For now, the best advice for those potentially affected now or in the future is to keep an eye on Twitter.com and take note of appropriate announcements. Once the changes are baked in, you can guarantee that word of the official process will spread fast.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.