Twitter Blue Badge email scams – Don’t fall for them!

It’s only a week since Elon Musk’s take-private of Twitter on 28 October 2022…

…but if you take into account the number of news stories about it (and, perhaps ironically under the circumstances, the volume of Twitter threadspace devoted to it), it probably feels a lot longer.

There’s been plenty to set the fur flying, starting with Musk’s curious choice of metaphor in arriving at Twitter HQ on takeover day with a kitchen sink, as though the company’s products and services were already so close to complete that they needed nothing more than the aforementioned dishwashing receptacle to finish things off.

Then there was the peremptory, if not-at-all unexpected, dismissal of the top tier of management; a pair of pranksters carrying cardboard boxes who tricked journalists into reporting they’d just been sacked and escorted offsite; staff who had been sacked apparently finding out when their access codes abruptly stopped working; and Twitter’s apparent rush to switch its well-known Blue Badge into a subscription service, not simply a verification system.

At the time of writing [2022-11-04T17:00Z], however, Twitter’s own documentation still stressed that so-called Verified Accounts are so labelled in order to denote that “an account of public interest is authentic, […] notable, and active.”

In fact, once you’re Verified, at least under today’s rules, you can’t voluntarily cast off your blue badge yourself, though you can have it pulled by Twitter “at any time without notice.”

Where FUD goes…

As you can therefore imagine, or as you’ve probably seen for yourself, Twitter’s current intention to make the blue badge into a pay-to-play service has stirred up plenty of fear, uncertainty and doubt, and where FUD goes…

…cybercriminals love to follow, whether it’s calling you up out of the blue (no pun intended) and telling you “Microsoft” has detetced “dangerous viruses” on your computer, or texting you to ask you to reschedule your latest home “delivery”, or emailing you to warn you about an Instagram copyright “infringement” on your account.

Indeed, the Twitter Verified scamming started quickly, with Zack Whittaker at TechCrunch publishing screenshots of blue-badge-themed phishing attacks last weekend:

The emails reported to Whittaker had been sent to journalists, and guessed that Twitter would be charging $20 a month for a blue-badge privilege. (The crooks actually went for $19.99, presumably because round numbers are surpisingly uncommon as prices in the English speaking world, with that one-cent reduction apparently making a $1000 ripoff look like a bargain when it turns up for just $999.99.)

The crooks in this scam suggested that you could simply “reverify” in order to retain your existing blue badge and thus avoid future charges, and helpfully provided a login button so you could do just that.

Of course, clicking through took you to a fake site that tried to harvest your phone number and Twitter login details, but you can imagine many other approaches that scammers could take, including:

  • Inviting you to “sign up early” to avoid disappointment, and then phishing for your payment card details.
  • Offering to help you stake a claim on an existing account name, and then phishing for significant personal information.
  • Urging you to “pre-apply” to save time later, then requesting similar information.

Elon Musk himself, apparently, has subsequently said, “Power to the people! Blue for $8/month,” which certainly invalidates the first round of scam emails that insisted the price was going to be $19.99…

…but does nothing to prevent the next round of scammers from simply coming up with new verbiage that’s updated for the new terms and conditions.

What to do?

Our usual cybersecurity advice applies, and it will help you avoid phishing scams whether their hook is the Twitter takeover, Black Friday “superdeals”, home delivery “failures”, bank account “problems”, or any other sort of message that tries to lure you in with fear (including fear of missing out), uncertainty and doubt:

  • Use a password manager. This helps stop you putting a real password into a fake site, because your password manager won’t recognise the imposter web pages.
  • Turn on 2FA if you can. Two-factor authentication means you need a one-time code as well as your password, making stolen passwords alone less useful to the crooks.
  • Avoid login links and action buttons in emails. If there’s action you need to take on the website of a service you genuinely use, find your own way to the real site using a URL you already know or can look up securely.
  • Never ask the sender of an uncertain message if they’re legitimate. If they’re genuine, they’ll say so, but if they’re scammers, they’ll say exactly the same thing, so you’ve learned nothing!

Remember: If in doubt, don’t give it out.

If it sounds like a scam, simply assume that it is, and bail out up front.


go top