Twitter Scammers Lure Victims to Fake Bank Sites

You’ve got to hand it to phishers; they get more insidious as consumers get savvier. As users fall less and less often for obviously phony emails and shady links, scammers have stepped up their own game and taken to the social media sphere.

Credit: Brian A Jackson/Shutterstock

(Image credit: Brian A Jackson/Shutterstock)

A Twitter phishing scam from late last year has resurfaced. It involves scammers pretending to be customer-service personnel from real banks, directing people needing assistance to surprisingly realistic online-banking login pages, which are of course designed to steal bank-account login credentials and, from there, money.

Sam Stepanyan, a London-based security researcher, witnessed the scam in action late last month on Twitter, and linked to a Tripwire article that explained the scam when it first appeared in October 2016. Even though researchers and journalists drew attention to the scheme months ago, cybercriminals are still using it — and customers are still falling for it. Fortunately, avoiding these scams takes just a little common sense.

MORE: Best Antivirus Software and Apps

Here's how it works: A customer tweets at a bank’s legitimate Twitter help account (such as @BarclaysUKHelp) to complain about an issue, such as being denied funds when there should be money ready to withdraw. Before the real bank can muster up a reply (or even afterward), a very convincing copycat account, such as @BarclaysHelpUK (now suspended) responds.

In Stepanyan’s observation, for example, a customer recently tweeted to National Westminster Bank, which, like Barclays, is one of the "Big Four" institutions that dominate consumer banking in England and Wales.  The bank's real account is @NatWest_Help, but the facsimile — complete with matching avatar — was @Natwest_HelpSL (also suspended). It would be easy to mistake the fake account for the real one, especially if you’re already frustrated by money issues and want help quickly.

How to avoid these scams

Luckily, protecting yourself is fairly simple. Real banks have Verified symbols, little blue check marks, visible on their Twitter accounts. If you seek help online and get a response, make sure that the Twitter account is verified, and that the username matches the one you tweeted to initially.

There’s one other easy way to keep your money safe, but it requires a more detailed explanation of how the scam works.

When the fake Twitter account replies, it includes a link to a phony bank login page. On that page, a customer logs in with his or her username and password.

What happens next, of course, is that the cybercriminal collects those credentials and uses them to access the consumer's bank account. There’s no way to tell how many people have fallen for this, but given how long the scam has been going on, and its relative cleverness, it’s probably quite a few.

The login page itself, though, can help you avoid the scheme, if you know what to look for. The official Barclays URL is barclays.co.uk; the scam website was barclaysonlinebanking.16mb.com, which should look fishy even to casual users.

You want to focus on the domain name, which in this case is "16mb.com", not "barclays.co.uk". (The rest of the website looks a lot like a Barclays actual login form, though, so checking the URL is really what gives it away.)

While the scam seems to have targeted U.K. banks so far, there’s no reason why phishers couldn’t attempt the same thing in other countries, even though the United States has so many consumer banks that maintaining phony Twitter accounts for all of them might be unfeasible.

But, as Steve Ragan from CSO Online points out, there's an American "Big Four" in the cellphone industry. Scammers could easily impersonate the official Twitter help accounts for AT&T, Sprint, T-Mobile or Verizon and use stolen credentials to hijack consumer accounts.

Antivirus software won’t protect you from social engineering, so the onus to defend your financial information is on you. When you deal with a bank, or any large company, online, make sure you’re talking to a verified account, and make sure that the account name — and website URL — match the company’s actual information.

Failing that, you could always call the number on the back of your ATM, debit or credit card for support. Speaking from personal experience, though, you’re much better off using Twitter. It’s amazing how quickly a bank can resolve your issue when the whole internet is watching.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.