Beware bogus blue verified checkmark scams on Twitter

For a while, all Twitter users wanted one – but they couldn’t get one.

The famous verified “blue tick” seemed only to be available to celebrities, journalists and high street brands who had convinced Twitter to hand one over (perhaps by allocating a decent marketing budget on Twitter ads).

But a month ago, it was announced that Twitter was opening up the potential of wearing the famous blue checkmark to any account which requested one by filling out an online form.

Frankly, now the blue tick is available to just about any Tom, Dick or Harry on Twitter the allure has faded somewhat. It hardly places you into the elite club that you may have once dreamt of entering.

But still, for good reasons and sometimes shallow reasons, many people would love to have it.

And that desire is something that scammers are happy to exploit.

Take, for instance, this scam which was being played out on Twitter last week.

If you saw it in your Twitter timeline, you might very well click on the link without thinking – imagining that the account is run by Twitter. After all, it is displaying the same avatar as the one used by the legitimate @verified account.

And clicking on the link *does* take you to a website which – at first glance – might look like a genuine Twitter property to those lacking in caution.


Clicking further, however, takes you to a form which should instantly set your alarm bells ringing. It asks you to enter information such as your email address and your number of followers (both pieces of information that Twitter should already know) as well as your username and password.


Once you fill your details in this form, they are instantly transmitted to the hackers – who can then use your credentials to hijack your account for the purposes of spam or spreading malicious links. Furthermore, if you have made the mistake of reusing your Twitter password elsewhere on the net there is a good chance that you may have other online accounts compromised by the hackers in follow-up attacks.

I reported the phishing URL to Google, and I’m pleased to report that it is now being blocked by most browsers.


The offending Twitter account has also been suspended.

There are a few lessons here, which all internet users would be wise to learn.

Firstly, always be careful about where you enter your login credentials. Make sure that you are on the proper website by examining the URL closely, and consider that one of the benefits of running a good password manager is that it will not let you easily fill in your password unless it recognises it.

Secondly, never reuse passwords on multiple websites. If one site gets hacked, online criminals will often try to use the same credentials to unlock your other online accounts.

Thirdly, harden your defences. Where available (as it is on Twitter) enable two-step verification or two-factor authentication to provide an additional layer of defence for your accounts. With 2SV or 2FA in place, hackers will need more than your password to break into your accounts making it – in most cases – something that they’ll simply not bother with, as they move to find softer targets.

Leave a Reply