How to avoid falling victim to support scams on Twitter

Scammers pretend to represent brands on Twitter and lure customers onto phishing websites. Here’s how to avoid it.

Scammers pretend to represent brands on Twitter and lure customers onto phishing websites. Here’s how to avoid it.

On the internet nobody knows if you’re a dog. Scammers on Twitter rely on that and frequently try tricking users into believing that they represent a vendor’s tech support – and then exfiltrate financial information from them.

How fraudsters scam people seeking support on Twitter

One of the most convenient ways to talk directly to a brand is to post something on social media, and mention them in that post – most commonly on Twitter. Pretty much every brand has an account on Twitter and a social media representative, who will notice your mention and somehow react — either by trying to help you or forwarding your request to support specialists.

However, it’s not always clear that someone who has reacted to your post actually represents the brand. And, let’s be honest, many people just don’t pay much attention to whom they are talking to on social media, if it’s not one of their friends. They primarily care about what it is they read. Of course, at some point scammers started using this, mimicking brand accounts on Twitter and tricking people.

Usually it goes as follows:

First, the user posts a complaint on Twitter, expecting the brand to communicate with them.

Then the scammers, pretending to represent the brand, reply to the comment and try to lure the user into talking with them. That’s what they usually do next:

  1. Either they ask to proceed to DMs, where they would try to lure the user into giving away their personal information.
  2. Or suggest messaging them directly on some third-party platform, where they will use the same tactics, but won’t fall under Twitter’s rules.
  3. Or they may pretend to be just a random person trying to help, saying that the tech support rarely answers requests on Twitter, but there’s a form the user allegedly needs to fill-in in order to directly create a ticket with the brand’s support. The form contains fields for sensitive data that are mandatory to fill in.

Most of all scammers like to prey on customers of different cryptocurrency-related services, as these are still in some grey area when it comes to legislation (and there’s big money making rounds in the crypto filed). However, sometimes they may pretend to represent brands form other areas.

Scammers trying to mimic Twitter brand accounts of Blockchain and Trustwallet and luring users to DMs, or pretending to be helpful users who post (fake) links to support sites. Screenshots by @Malwarehunterteam

Scammers trying to mimic Twitter brand accounts of Blockchain and Trustwallet and luring users to DMs, or pretending to be helpful users who post (fake) links to support sites. Screenshots by @Malwarehunterteam

How not to fall for Twitter support scams

Below we’ve accumulated some advice for those, who use social networks to seek support from brands:

  1. Check the name spelling. Does this account really belong to the brand you want to talk to? Brands usually don’t like impersonation, so they report copycats to Twitter. And official support won’t talk to you from their own accounts. Also be sure to check the Twitter handle and not just the display name of whom is replying to you. Many scams, including the Elon Musk cryptocurrency scams have users with his name as the display but a completely noticeable fake Twitter handle.
  2. Check the verification tick mark. Official accounts of large brands usually have a tick mark to the right of their Twitter name. If the account doesn’t have a tick mark, it doesn’t necessarily mean it’s a scam, just be more cautious and look for other signs. The official account may not have a tick mark, but you can confirm the account handle from the company’s website, usually in the about us.
  3. Do not provide any personal info in DMs. Especially information that could be used to access your account (either on Twitter or on the service you’re talking to). Telling your account name is OK, telling your password or answering questions used for password recovery are not OK.
  4. Do not fill any forms on sites other than the brand official site. Brands won’t use Google Docs or similar services for support purposes.
  5. Use a reliable security solution that can detect phishing. While the security solution most likely won’t be able to distinguish the scammer and the brand on Twitter, it would alert you if the scammers lure you onto some phishing web-site instead of the official one.

If you are a brand looking to safeguard your customers from such scams, we suggest that you read this blog post.

 

 

Tips