As an online network grows, it eventually attracts enough eyeballs to warrant the attention and efforts of spammers and scammers. Twitter has both. Over the last several days, Twitter has been hit hard by a Phishing scam. The only surprise is that it took this long to occur.
The Wikipedia definition for phishing is:
"the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication."
While Twitter Phishing seems to make less sense than email Phishing to harvest bank account info, or some other confidential information, it can certainly still cause headache for the Twitter account owner. So, it's an appropriate time for some practical advice on how to protect yourself from falling prey to such scams.
- Do not click on any links contained within Direct Messages - This is difficult because we use DMs to share so much information, particularly links. Send an @ reply to the sender of the DM asking for confirmation if you're not certain the link is legitimate
- Do not follow any of the instructions contained in a suspicious Direct Message - Don't follow the link (see above). Don't reply back with any information that may have been requested by someone if you're not sure. Sending a reply with details via email is a safer alternative.
- Notify Twitter - Report the offending Twitter account so they can be properly blocked or removed from the system. Techcrunch has written a post with details on how to report Twitter spammers/abusers
- Delete the Direct Message
- Alert your network - Send a public Tweet notifying others about the hijacked account
- Rotate your Twitter password - You may want to think about incorporating this practice into your normal routine. With so many Twitter tools and services online, you're taking on elevated risks every time you authenticate to Twittergrader, Qwitter, Twittercounter, etc... (I am a big fan and trust these sites, but the risk exists regardless). Anyone can create a "Twitter tool" that requires passing your username and password to the Twitter API. Trusting that everyone who does will protect you and not capture/keep your password is asking too much. Proactively protect yourself by changing your Twitter password regularly (You decide how often, but monthly isn't a bad idea). In addition, make sure your Twitter password is unique. Never use the same password that you use for email, network access, bank account access, etc... Good identify security is about having strong layered defenses. Don't put all your accounts at risk by using the same password universally.
What did I miss? Feel free to add any additional tips in the comments and I will update the post crediting you.