Within a span of 48 hours, no fewer than three separate financial institutions — two credit unions and one bank — fell victim to a now common social-engineering ploy whereby hackers get people to voluntarily surrender their passwords then hijack the account for their own nefarious purposes.
It starts innocently enough. A hacker sends a simple message to a bank or credit union employee: “Hey is this you in this picture?” The message includes a link that takes the employee to a login page — created by the hacker — asking for their Twitter name and password. Anyone who gives up their login information will unknowingly start sending out porn spam (or something similarly disagreeable).
In the most recent spate of hacker attacks on Twitter, Advance Savings was one of the first unfortunate victims. They unwittingly sent all their 300+ followers this eyebrow-raising tweet:
A little while later, Omni Credit Union sent this message to their followers on Twitter:
Within a few hours, both credit unions had reclaimed control of their Twitter accounts and were sending out their apologies:
HSBC’s First Direct, widely celebrated as the only major U.K. bank to embrace Twitter, fired off a series of tweets to its 80+ followers after it realized its Twitter account had been compromised.
First Direct also responded with a post on its blog. In “Twitter Spam: An Apology,” First Direct retraced how its account was hacked, explained why they responded the way they did, and offered reassurances for the future.
“This is new to us and to the financial services sector as a whole. We made a mistake, fixed it as soon as possible and we’re taking steps to ensure it doesn’t happen again,” they wrote in their blog. “We’re very sorry, but we are only human afterall.”
Bottom Line: A hacked Twitter account is more than just a mere annoyance that may cost your financial institution a few followers on Twitter. It’s embarrassing and it undermines people’s trust in you. It suggests to consumers that you aren’t technologically savvy. And it practically eliminates the chance that you might ever introduce a Twitter application like those from ING Direct and Vantage Credit Union.
5 Tips to Avoid Being a Twitter Spam Victim
- When spammy tweets and unusual direct messages start flying around Twitter, it’s a cue to change your password. You may have unknowingly given hackers your login information days or weeks ago. Better safe than sorry.
- Always look at the URL before you enter you name/password at any site. Make sure you know what the authentic login URL looks like.
- Suspect every message you receive from people you don’t know personally. If anyone sends you a link that directs you to a login page — especially someone you don’t recognize — you should assume you’re probably dealing with a hacker.
- Go to http://twitter.com/settings/connections and “revoke access” for anything you don’t recognize.
- And, of course, change your password on a regular basis (and remember to use random, mixed-case LeTT3rs and nUmb3rs).