By Paul Ducklin
Social media often gets crazy, but not often as crazy as this.
Many prominent, verified Twitter accounts have been tweeting out cryptocoin scams, with fake tweets reported from an eclectic range of high-profile people and companies, apparently including Joe Biden, Elon Musk, Barack Obama, Bill Gates, Apple and many others.
The scam tweets reportedly included catchy – if highly unlikely – messages such as “Feeling greatful [note spelling blunder], doubling all payments made to my Bitcoin address,” urging people to pay out $1000 and get $2000 back.
Of course, it’s all a pack of lies – after all, if someone already had $1000 to gift you, why wouldn’t they just send it to you, instead of making you pay in $1000 first and then giving you your money back plus another $1000?
Nevertheless, these tweets really did come from verified accounts, so you can see why people might fall for this – it’s not like receiving an email that is signed off “Elon Musk” if the tweet genuinely seems to have come from his account.
Twitter has taken the unusual but understandable step of closing down parts of its service while it investigates, and its own support account has just tweeted to say that the company is “continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this:
Until we know exactly how these scam tweets were sent, it’s difficult to suggest what actions you might take, particularly given that access to services such as password changes (and presumably also changing details such as two-factor authentication numbers) is being restricted.
However, these scammers will only succeed if people fall for their unlikely messages – which rely on people suspending their disbelief simply because the tweet comes from a celebrity or someone they are inclined to trust.
What you need to know
So you can nevertheless protect yourself by following these three simple steps:
- If a message sounds too good to be true, it IS too good to be true
If Musk, Gates, Apple, Biden or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn’t demand that you hand them money first. That’s not a gift, it’s a trick, and it’s an obvious sign that the person’s account has been hacked. If in doubt, leave it out!
- Cryptocurrency transactions don’t have the legal protections that you get with banks or payment card companies
There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone cryptocoins is like handing over banknotes in an envelope – if they go to a crook, you will never see them again. If in doubt, don’t send it out!
- Look out for any and all signs that a message might not be real
Crooks don’t have to make spelling mistakes or get important details wrong, but often they do, like the word “greatful” in the example above. So if the crooks do make a blunder, such as writing 50$ when in your country the currency sign comes first, making a mess of their own phone number, or using clumsy or unnatural language, don’t let them get away with it. Treat it with doubt unless everything checks out!
(The writer is the Principal Research Scientist at Sophos)