Elon Musk’s Twitter Is a Scammer’s Paradise

Anyone can get a blue tick on Twitter without proving who they are. And it’s already causing a ton of problems.
3D rendering of a pile of blue checkmarks representing the verified Twitter symbol.
Illustration: Priyanka Naskar/Alamy

At the end of August, Sean Murphy was trying to book a flight between Nairobi, Kenya, and Entebbe, Uganda, with Kenya Airways. “The information on the booking page was ambiguous,” says Murphy, the cofounder of Web3 company ImpactScope. So he fired off a quick direct message to the verified Kenya Airways account on Twitter, asking it to confirm baggage allowances for the flight. A day later, when the account didn’t reply, he sent the company a public tweet reminding it about the question. Then the replies started.

Within minutes, multiple Twitter accounts claiming to be Kenya Airways tweeted him. All of them offered help, but none of them appeared official. The accounts used Kenya Airways’ logo and slogan, but clicking on their profiles raised red flags. “Most of their messages were well crafted,” Murphy says. “However, the low number of followers coupled with the spelling errors or odd choice of characters in their actual Twitter handles was the main giveaway.” The accounts included “@_1KenyaAirways” and “@kenyaairways23.”

It’s now easier for Twitter accounts to appear official. In the chaotic days since Elon Musk completed his $44 billion takeover of Twitter and subsequently fired thousands of staff, the social network has revamped how its account verification works. The new Twitter Blue subscription, which has started rolling out to some users, allows anyone to pay $8 per month and get a blue check mark showing they are “verified.” The tick appears almost instantly once someone stumps up the cash, and no questions are asked—people do not have to prove their identity.

The verification symbol is a stark difference from Twitter’s previous approach to verification when only accounts belonging to brands, public figures, and governments were provided with blue ticks next to their name. In all those instances, verification was approved by Twitter staff. The new verification process—or lack of it—is likely to make it easier for scammers, cybercriminals, and peddlers of disinformation to hone their craft and appear legitimate.

“Cybercriminals very easily use social media as the perfect vehicle to target unbeknown victims, but when there is no clear and genuine way to check identities, you open up a path to impersonated accounts, which will no doubt be abused by threat actors in the search of a con,” says Jake Moore, global cybersecurity advisor at security firm ESET.

Things are already messy. Straight after Twitter Blue’s verification started rolling out, accounts impersonating people and brands appeared. Some people appeared to be testing the system; others were causing trouble. In some cases, new accounts were used, and in others, years-old Twitter accounts had been converted to blue-tick status. One account called Nintendo of America (handle: @nIntendoofus) tweeted a picture of Mario giving people the finger. Apple TV+ was impersonated along with gaming firm Valve, Donald Trump, and basketball star LeBron James. A post from an account pretending to be an ESPN analyst gained more than 10,000 engagements before it was deleted, fact-checking organization Snopes reported. The account had “NOT” in its handle, and its bio described it as a parody. As of yesterday, amid a surge of impersonation accounts, Twitter had paused allowing new accounts to purchase verification.

Twitter’s new approach to verified accounts is focused on the Twitter Blue subscription. Once a user pays, the blue tick appears next to an account’s name. If someone clicks on the tick, a message explains it is there because it has been purchased. In Twitter’s timeline, a user’s blue tick is shown prominently next to the name they give their account (which can easily be changed), rather than their username handle.

Cybercriminals have, of course, tried to scam people or impersonate them on social media for years, and they are always trying to stay one step ahead of the people hunting them down. Many scams involve convincing people that an account is authentic and then manipulating them via social engineering to hand over credit card details or personal information. These kinds of scams persist as criminals get results from them.

Support account scams—where a bad actor impersonates a company’s customer service team, as with Sean Murphy’s experience with Kenya Airways—are common. Kenya Airways’ official Twitter account has previously warned about accounts that impersonate it (one of these is not verified). Rachel Tobac, the cofounder of SocialProof security, which focuses on social engineering, says these support account scams will be easier to conduct on Twitter as there are fewer steps scammers need to take before they start impersonating official accounts.

“Previously, cybercriminals needed to procure a verified Twitter page by phishing the verified user to steal their credentials, buy stolen credentials online, or find the reused credentials in a password repository post data breach,” Tobac says. “Now the scammers can just use a stolen credit card to purchase a verified account and begin their scamming.” Millions of people’s credit card details can be purchased online and a single stolen card can cost just $1.

Musk has claimed that the $8 Twitter subscription fee will discourage bad actors from creating accounts, particularly at scale. The CEO has also said that accounts subscribing to Twitter Blue will have their tweets shown above non-verified accounts in search results. In a Twitter Space aimed at advertisers this week, Musk said he wanted to stop fake accounts and that bad actors “don’t have a million credit cards and phones.” (In one incident in February, Ukrainian officials shut down an alleged Russian-linked bot operation that used 3,000 SIM cards and had created more than 18,000 online accounts.)

Twitter also briefly launched and removed an “official” label that was placed on some public accounts. “Please note that Twitter will do lots of dumb things in coming months,” Musk tweeted this week. “We will keep what works & change what doesn’t.” (Twitter did not immediately respond to a request for comment, although it is believed many of its press office team were let go in the recent Twitter layoffs.)

Beyond allowing scammers to appear genuine, multiple experts believe that the verification changes could erode what it means for legitimate accounts to be verified on social media. “The shift to purchasing verified accounts will likely greatly reduce the trust that users, emergency services, public utilities, journalists, and brands have in Twitter verified accounts, as it’s unlikely that Twitter will quickly catch and shut down every new Twitter Blue verified account that is impersonating others,” Tobac says.

In addition to scams, the ability to quickly create genuine-looking verified accounts is also likely to aid disinformation campaigns. For years, Russian, Chinese, and Iranian state-supported actors have tried to manipulate many conversations online. They can create thousands of fake accounts in attempts to amplify disinformation. “We know that disinformation actors, particularly those that are linked to governments, have budgets,” says Elise Thomas, a senior OSINT analyst at the Institute for Strategic Dialogue who has focused on misinformation and disinformation. “We’ve already seen many disinformation campaigns buy web domains, spend thousands or tens of thousands on advertising, purchase bot accounts in bulk, and employ trolls.”

As noted by Eliot Higgins, the founder of the investigative unit Bellingcat, which among other things has uncovered Russian disinformation and exposed its network of international spies, it would be trivial for a government to pay for verified accounts. In 2018, Russia’s Internet Research Agency, which has consistently pumped out disinformation, had a budget of around $10 million. “Beyond impersonation of real people and organizations, it could also allow disinformation operations to create new personas—for example, journalists or government agencies that don’t exist—and make that fake persona seem more credible with a check mark,” Thomas says.

And state-backed actors haven’t needed verified marks to sow information chaos in the past. “Many state-backed disinformation campaigns use fake accounts to amplify user-generated content that is divisive and polarizing in order to get topics to trend, and to make voices at the fringe appear louder than they are,” says Samantha Bradshaw, an assistant professor in new technology and security at American University. “It is therefore unclear whether this policy will raise the cost of influence operations in a meaningful way.” Russian state-backed Twitter accounts have previously managed to be quoted in the press hundreds of times, without any verification at all.

As the rollout of Twitter Blue continues, staff at the newly cut Twitter may face an uphill battle in determining whether accounts are part of coordinated efforts to influence discourse online or are indeed authentic. Twitter’s own staff have hinted that verification without identity checks may have to change in the future. Yoel Roth, Twitter’s head of trust and safety, said that in the short term the company will “ramp up” proactive reviews of accounts that appear to be impersonating other people. “I think we need to invest more in identity verification as a complement to proof-of-humanness,” Roth tweeted. “Paid Verification is a strong (not perfect) signal of humanness, which helps fight bots and spam. But that’s not the same thing as identity verification.”