Avoid 'Phishing' Scams

Friday, 26 February 2010

Over the past few days, Twitter has been helping folks victimized by a phishing attack. Phishing is a deceitful process by which an attempt is made to acquire sensitive information such as Twitter usernames and passwords. The bad guys masquerade as someone you trust and may send you a Direct Message (DM) with a link. This DM may say something along the lines of, “LOL that you??” followed by a link to a fake Twitter login page. If you enter your credentials on that fraudulent page, the phishers can sign in as you and trick more people.

Anatomy of A Phishing Scam

Generally a phishing attack against Twitter users breaks down to a three-part process. First, accounts compromised in the manner described above send out messages to all accounts following them. Second, accounts that are newly compromised send out more messages. Third, the scammers behind the phishing attack make an attempt at monetization by sending out spam links instead of links to a fake login page. We fight phishing scams by detecting affected accounts and resetting passwords. However, it’s better to stop them before they start.

Avoiding Phishing Scams

We designed the Direct Message system so that you could only get DMs from accounts that you choose to follow—this cuts way down on spam and attacks. Our Trust and Safety team identifies and deletes spam accounts every day. Still, we recommend against indiscriminately following hundreds or thousands of accounts without having a look first. To learn how you can avoid falling victim to a phishing scam or if you have other questions about keeping your Twitter account secure, please read Keeping Your Account Secure at our help site.

For regular status updates on related issues. please follow @safety and @spam. There is also a Twitter status blog that we update regularly. For a lot more information about Phishing, check out this article on Wikipedia.