With social media platforms and email providers offering verified accounts more openly, there is an increased risk of verified account scams. Twitter, Instagram, and Snapchat just to name a few all offer the ability to pay to verify your account. What does a verified account really mean though? Are they all vetted and can be trusted? Cybercriminals are already actively exploiting Gmail’s verification system to scam users.
Checkmarks for everyone
Chances are you have seen a checkmark next to a user’s name in many of the popular social media platforms. These have been common for years. Until more recently, these helped identify if the user was who they claimed to be. You would see these checkmarks on celebrity accounts, business accounts, reputable organization accounts, and so on. Oftentimes these were vetted accounts and could be proven to be legitimate.
Now with many platforms offering subscription services for verified accounts, this has drastically changed the meaning of the checkmark. What does the checkmark really mean now? Upon launch of Twitter’s paid subscription, users were exploiting the checkmark to pretend to be other people, portraying their accounts as the legitimate ones. Many platforms have altered their terms of service to ban accounts that now do this, but it is extremely difficult to monitor all accounts for this fraud. Some of the largest platforms have over 500 million users, some over 1 billion, and some over 2 billion. So you can see how hard it is to investigate every account that has a verification.
Taking advantage
Since you can now buy verified accounts on many sites, cybercriminals are doing just that. They are then sending phishing emails from verified accounts and posting through verified accounts. These attacks remind me of the old days when websites started putting a lock symbol in the url to identify the website was encrypted and secured. This created a false sense of security that the end user was at a legitimate website, but in reality it was still a spoofed website, just with encryption on, like the legitimate site. This tricked users.
When you receive an email with a verified checkmark, you are more likely to trust that email and assume it came from a legitimate account. In reality, it is the cybercriminal just verifying they own that account, a spoofed account.
What you can do
Don’t trust the checkmark. Just because an account has that special symbol, it does not mean it can be trusted. Like with all emails, check the sending address, not just the sender’s name. Ask yourself the typical questions:
- Were you expecting this email?
- Is the email requesting you to take action? If so, what kind of action?
- Do you know the sender?
Verify these verified account emails the same way you would any other email. So don’t fall victim to verified account scams!
To learn more about protecting your small business from phishing scams and other current cybersecurity trends, threats, or tips visit Small Business, Big Threat!