Twitter Phishing: It’s Here, Now

By Jeffry Pilcher

Published on October 15th, 2009 in Social Media Strategies

Two months ago, The Financial Brand warned of the phishing risks financial institutions face on Twitter. Yesterday, at least two financial institutions had their official corporate Twitter accounts hacked, maybe more. While it seems no serious harm was done, it’s something all banks and credit unions need to be aware of. Here’s how it works.

If you’ve had any experience with Twitter lately, you may have seen one of these rather innocuous-looking messages show up in your private inbox:

hawthorne-spam

Some are phrased differently, like this narcissistic temptation: "Hey is this you in this picture? http://twitter.pictures.url"

The only problem is that it’s a scam. The URL may look harmless, something like videos.twitter.secure-logins01.com (link inactive), but if you click on it, it takes you to a spoofed phishing site that looks identical to a real Twitter login screen. At this point, unsuspecting users who enter their account name and password have just handed their information over to hackers, who quickly hijack the account.

Which is precisely what happened to Hawthorne Credit Union and Brewer FCU yesterday. Some hacker started following them on Twitter a while ago. The unsuspecting credit unions repaid the courtesy by following them back. Wait a little while…then one day, a message from someone like jimbo_philly53 shows up in the credit union’s private inbox with a link.

"What’s this?" the person staffing the financial institution’s Twitter account wonders. They click on the link and assume they need to login to Twitter…to see the bait that the hacker has dangled.

Whammy! Account hijacked.

Make that two accounts hijacked.

-- Article continued below --

Reality Check: For a certain period of time, hackers controlled the Twitter accounts of at least two credit unions. Remember, these are official, corporate communications channels.

If the hackers knew what they had, they wouldn’t have squandered their opportunities pushing $300-a-day, work-at-home schemes, as they did with the hijacked Brewer FCU account:

brewer-fcu-spam

If these guys knew they were in control of official credit union Twitter accounts, they would have sent this kind of private message to all the followers of Hawthorne and Brewer credit unions:

brewer-phishing

Fortunately for both credit unions, these hackers were merely interested in perpetuating their own scams.

Hawthorne issued the following apology:

hawthorne-apology

But it could have turned out much worse. Remember, these two credit unions were only caught in a wide hacker dragnet. Someday very soon, financial institutions’ Twitter accounts will come under direct assault by hackers deliberately looking to defraud consumers.

Key Question: What would have happened if some sweet, unsuspecting person coughed up their financial details to these hackers, who then cleaned out their accounts and stole their identity? How would consumers and financial institutions feel about using Twitter if/when that story breaks?

Bottom Line:

  • If you don’t think this is a problem for your financial institution because you aren’t on Twitter today, think again. Someone else could be on Twitter right now, building followers using your brand name. >Then...whammy!
  • Never enter your account information at any website without verifying that the URL displayed in your browser window is legitimate. Make sure anyone staffing your social media accounts is careful about this too.
-- Article continued below --

The Financial Brand is your premier destination for comprehensive insights in the financial services sector. With our in-depth articles, webinars, reports and research, we keep banking executives up-to-date with the latest trends, growth strategies, and technological advancements that are transforming the industry today.

© 2025 The Financial Brand. All rights reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of The Financial Brand.