twitter

A convincing Twitter scam is targeting bank customers by abusing the quote-tweet feature, as observed by BleepingComputer. 

What makes this scam stand out is it preys on customers tweeting to their banks—such as to raise a complaint or request assistance. But these customers instead receive a reply from the scammer, via a quote-tweet, luring them to call the scammer's "helpline" number.

The scam's simplicity and focused targeting makes it convincing to unsuspecting users.

Fake bank Twitter accounts luring customers in

Users tagging Twitter accounts of their banks in their tweets—for example, when raising complaints about an issue, should watch out for responses from non-verified Twitter accounts that may closely be impersonating the bank's support staff and instead be a scam.

Moreover, what makes this scam particularly interesting is, the fact that genuine companies sometimes choose to reply via a separate Twitter account, different from their corporate (verified) one, for tweets which are akin to support requests.

Earlier this week, I had tagged Axis Bank, India's third-largest private bank, in a tweet but interestingly received a reply as a 'quote tweet' from an account claiming to be Axis Bank:

Reply from fake Axis Bank account
Reply to my tweet from a dubious @AXIS_BANK_00 Twitter account (BleepingComputer)

Although the lack of any following on the @AXIS_BANK_00 account (and, not to mention, the verification badge) did raise red flags, it wouldn't be the first time a company replies from a separate Twitter account as opposed to their verified one, for example, to minimize amplifying complaints from their customers sent as Tweets.

As opposed to using any obvious phishing links, this scam uses a templated text urging users to call a "helpline" number. 

An Axis Bank official shortly stepped in from the company's legitimate Twitter account:

The illicit Twitter account, AXIS_BANK_00 has since been suspended.

While analyzing this case, however, we discovered that the same phone number, 89618-44737, had been mentioned in tweets targeting customers of other leading Indian banks, including HDFC and ICICI.

One such account we found was named, @HDFC_Bank_08:

Fake HDFC twitter account
Fake HDFC twitter account replying to customers (BleepingComputer)

Whereas, that targeting ICICI Bank customers was called @ICICI_Bank_7:

Fake ICICI Twitter account luring customers in
Fake ICICI Twitter account luring customers in (BleepingComputer)

Merely suspending these accounts may not be enough and may result in a whack-a-mole situation. The enumeration at the end of these Twitter handles (i.e. Axis_Bank_0, 1, 2, 3....) suggests scammers are simply recreating these accounts with variations of the handle, and naming these accounts using terms, e.g. "(BankName) cares" to make them appear to be the bank's Twitter support channel.

This scam also comes at a time when Musk's Twitter takeover and a total revamp of the platform's verification policies may already be generating confusion.

For example, the previously-verified 'legacy' blue badge accounts may be phased out in the favor of Twitter Blue (paid) verification program. Then there is an entirely new color code introducing a 'grey' checkmark for Twitter accounts of government officials, and 'golden' ones for companies.

Another issue is, what happens to legitimate Twitter accounts of banks and financial institutions that continue to bear legacy verification badges—once these are stripped? These accounts may become more susceptible to impersonation by fraudsters.

HDFC Bank official twitter bears a legacy badge
HDFC Bank's official twitter carries a 'legacy' verification badge

Not all Twitter accounts belonging to a notable entity are treated equally either.

Both Comcast's @Xfinity and @XfinitySupport handles, for example, carry a 'golden' badge attesting to their authenticity. But other accounts associated with the company, such as @NASCAR_Xfinity, still retain the older blue badge which, once phased out, makes matters clouded for the consumer.

When on Twitter, watch out for red flags in replies, DMs, and quote-tweets directed at you, even if their timing is impeccable and they seem benign at a first glance.

Related Articles:

India rescues 250 citizens enslaved by Cambodian cybercrime gang

FTC: Americans lost $1.1 billion to impersonation scams in 2023

FTC warns scammers are impersonating its employees to steal money

Here's why Twitter sends you to a different site than what you clicked

US moves to recover $2.3 million from "pig butchers" on Binance