Or: what to do if your twitter account starts sending messages without your consent?
There’s a wave of phishing messages spreading out over twitter at the moment, and its very disconcerting. Suddenly you find that your friends are complaining that you are sending them rude direct messages on twitter, or someone tells you your account has been hacked. What do you do?
Here are some Frequently Asked Questions with answers which should get you on the right track.
1. What is a Phishing Scam?
“In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.”
Remember those emails which pretend to be from a bank with an ‘urgent update’, asking for you to ‘reset’ your account? They are phishing emails. The phisher is collecting your bank details by masquerading as your bank, so s/he can later steal money from your account. On Twitter, Phishing is carried out via a public @reply or direct message (DM), but it’s the same principle.
A phishing scam on twitter has the initial objective of obtaining users login details (username and password combination). If a phisher can compromise your account s/he can use it to obtain your followers’ details via the same method, taking advantage of the trust your followers have in you. This way, the phisher spreads out, stealing peoples login details, wave after wave. These accounts can then be used for other purposes, like spamming or spreading viruses and malware.
Contrary to the discussion on Radio 4 Today programme this morning, phishing can happen no matter how strong your password is. The phisher doesn’t care what your password is, they con you into handing it over anyway.
2. What does a Phishing Message look like?
The first thing you’ll know about a phishing scam is something quite innocuous – A direct message from someone you follow. The messages tend to be short, may seem personal but are not, and always contain a link. The most recent wave began with DM’s saying “LOL is this you? http://link” designed to get you to click the link. The message can come from anyone you follow (anyone you follow can send you a direct message).
If you click the link, you’ll probably find yourself on a page which looks suspiciously like a twitter login page, and you’re asked for your login details. If you enter your details, you’ll be forwarded to twitter.com, logged in. Unbeknown to you, your login details have now been ‘phished’, and the phisher can then use them to take over your account at any time in the future, provided you don’t change them.
3. Is it my Fault?
Its really embarrassing to be caught out by a phishing scam, but don’t take it personally. Thousands of people are being duped, which is why its got to you, through them. The phisher is preying on your naturally inquisitive and helpful nature, but its not personal, you’re one of millions.
4. What do I do if my account is compromised?
If you realise that you’ve given away your password details then you need to change your password. You can do this via the twitter settings page – click on Settings when you are logged in, and then the password tab. If in doubt, change your password.
If you have trouble remembering passwords, don’t be tempted to go for an easy one. Even though a phisher doesn’t need to know your password, your account is too prescious to give away. Choose a password with upper case and lower case letters, numbers and symbols in. Basing it on a word you can remember helps.
5. Are there other ways for my account to be compromised?
Many applications which work with twitter need your account details to work. Some of these programmes, like the twitter clients tweetdeck and tweetie2 for example, and the stats program twitteranalyzer, are extremely useful, but they aren’t controlled by Twitter.com and you have to satisfy yourself that they are to be trusted.
Unscrupulous internet users can set up an apparently useful and safe twitter program which in fact acts as a device to steal your account details, but you can avoid being caught out by using common sense. If you can get a recommendation from a trusted source, like the applications review site http://oneforty.com/ , or a friend who has used a third party application safely, then you’re probably safe.
Twitter uses the O-auth system to help protect your security with third party applications. This is where the site transfers you back to twitter.com to enter your password and then returns you back to the third party site once you are signed in, leaving your account details with twitter.com only. You can see all the applications you have given your password to in this way from the settings page on twitter, just click the ‘Connections’ tab. If any applications there are unfamiliar to you, click to revoke access, and change your password afterwards.
Once you change your password, you will need to reset it in trusted applications like tweetdeck and hootsuite, or they will be denied access to your information and you will get locked out. Just go to the ‘accounts’ settings and enter your new password where you entered the original one.
6. What if I can’t access my account?
Your account may have been hijacked if the phisher changes your password so you can’t get in. Don’t worry, firstly this is very unusual, and secondly the account relies on your email addres, so you can get twitter to reset your password via your email address, or contact them with a support request. Twitter has written about what to do here: http://bit.ly/SecureMyAccount
7. What should I do if I receive a suspicious DM?
During the last wave of phishing, I’ve received dozens of phishing messages from trusted friends. You’ll get used to seeing them after a while, but many of your friends won’t know they’ve been compromised, so don’t overreact.
Send them a public message to let them know, and a link to a post where they can find out what to do next. I always do it in public because the phishers don’t. They’ll thank you and be apologetic, but it’s ok. After all, it can happen to anyone.
Twitter has information about safe tweeting here.
You can follow @safety – the official Twitter account giving updates on safety on twitter