Twitter Phishing: It’s Here, Now

Two months ago, The Financial Brand warned of the phishing risks financial institutions face on Twitter. Yesterday, at least two financial institutions had their official corporate Twitter accounts hacked, maybe more. While it seems no serious harm was done, it’s something all banks and credit unions need to be aware of. Here’s how it works.

If you’ve had any experience with Twitter lately, you may have seen one of these rather innocuous-looking messages show up in your private inbox:

hawthorne-spam

Some are phrased differently, like this narcissistic temptation: “Hey is this you in this picture? http://twitter.pictures.url

The only problem is that it’s a scam. The URL may look harmless, something like videos.twitter.secure-logins01.com (link inactive), but if you click on it, it takes you to a spoofed phishing site that looks identical to a real Twitter login screen. At this point, unsuspecting users who enter their account name and password have just handed their information over to hackers, who quickly hijack the account.

Which is precisely what happened to Hawthorne Credit Union and Brewer FCU yesterday. Some hacker started following them on Twitter a while ago. The unsuspecting credit unions repaid the courtesy by following them back. Wait a little while…then one day, a message from someone like jimbo_philly53 shows up in the credit union’s private inbox with a link.

“What’s this?” the person staffing the financial institution’s Twitter account wonders. They click on the link and assume they need to login to Twitter…to see the bait that the hacker has dangled.

Whammy! Account hijacked.

Make that two accounts hijacked.

Reality Check: For a certain period of time, hackers controlled the Twitter accounts of at least two credit unions. Remember, these are official, corporate communications channels.

If the hackers knew what they had, they wouldn’t have squandered their opportunities pushing $300-a-day, work-at-home schemes, as they did with the hijacked Brewer FCU account:

brewer-fcu-spam

If these guys knew they were in control of official credit union Twitter accounts, they would have sent this kind of private message to all the followers of Hawthorne and Brewer credit unions:

brewer-phishing

Fortunately for both credit unions, these hackers were merely interested in perpetuating their own scams.

Hawthorne issued the following apology:

hawthorne-apology

But it could have turned out much worse. Remember, these two credit unions were only caught in a wide hacker dragnet. Someday very soon, financial institutions’ Twitter accounts will come under direct assault by hackers deliberately looking to defraud consumers.

Key Question: What would have happened if some sweet, unsuspecting person coughed up their financial details to these hackers, who then cleaned out their accounts and stole their identity? How would consumers and financial institutions feel about using Twitter if/when that story breaks?

Bottom Line:

  • If you don’t think this is a problem for your financial institution because you aren’t on Twitter today, think again. Someone else could be on Twitter right now, building followers using your brand name. Then...whammy!
  • Never enter your account information at any website without verifying that the URL displayed in your browser window is legitimate. Make sure anyone staffing your social media accounts is careful about this too.

This article was originally published on . All content © 2019 by The Financial Brand and may not be reproduced by any means without permission.