Brands Beware: X's New Badge System Is a Ripe Cyber-Target

Fraudsters are taking advantage of the new verification system implemented by X, formerly known as Twitter, in order to impersonate brands and steal personal information.

The infamous blue checkmark used to be reserved for verified companies and influencers. But after purchasing the microblogging giant, and following a period of rapidly declining users and revenue, Elon Musk changed the rules, enabling anybody to obtain one simply by paying a monthly fee.

The site's new, liberal approach to authentication has opened the door for scammers, while the introduction of other tiers of "authentication" — gold and gray badges, for instance — has created confusion for brands and users alike.

Dark Reading was unable to reach X for comment on this story.

How Blue Check Scams Work

In July, the budget British airline easyJet canceled over 1,700 summer flights from Gatwick Airport in London.

Anticipating a wave of angry customers, scammers filled in the void.

According to the UK nonprofit Which?, a bevy of copycat easyJet accounts were created in the hours thereafter, with at least five surviving an initial sweep of account shutdowns. Their usernames mimicked the company's legitimate username, and in their bios they linked to "Online Help Hubs," which were actually just phishing pages designed to harvest personal information. The scammers also engaged angry customers over direct messages, and occasionally intervened in conversations they were having with the actual company.

Source: Which?

Not all of the blame lies with X, though. Companies that shirk on customer service often direct angry customers to social media instead, since it's allegedly faster (read: more cost-effective).

One UK resident told The Guardian in August how, after months of fruitlessly attempting to get a refund on a canceled holiday flight, he finally conceded to engage with Booking.com over X.

Booking.com asked him to send them his phone number via DM. After a call over WhatsApp, they agreed to refund his payment, but he would first need to download an app.

Only then, with his suspicion aroused, did the man realize the company's account handle had an unexpected hyphen in it, and their WhatsApp caller ID traced to Kenya.

"I've since come across other fake Booking.com Twitter accounts which are following customers who are at their wits' end trying to get a refund and have resorted to X to air their grievance with the company,” he recalled to reporters.

Reckoning With the New Check Mark System

Rather than just the blue check mark, X currently offers four tiers for accounts:

A gold badge costs $1,000 per month (plus $50 for additional affiliates), meaning that small businesses may not be able to afford authentication, and larger ones may not want to pay. And it's even led to inconsistencies within organizations. In a blog published Thursday, Kaspersky highlighted how Microsoft's presence on X is a mess of accounts with and without gold check marks, some affiliated with the organization and some not.

What Companies Can Do About X Brand Impersonation

Companies unable (or unwilling) to shell out the cash and organize around X's new rules — and companies like easyJet, for whom even doing everything right isn't enough to fend off copycats — will need other means of protecting their customers and their brand names. Because like any typosquatting endeavor, a diligent phishing campaign can erode consumer trust.

"For sensitive communication or support," says Callie Guenther, senior manager of threat research at Critical Start, "directing customers back to the official website or a recognized customer service number can be effective. And a consistent online presence, characterized by regular updates and engagement, can deter impersonators and give customers confidence in the brand's authenticity."

However, she cautions, "any system that implies trust through verification can be exploited, so users should always be cautious. LinkedIn, for example, doesn't have a checkmark system similar to Twitter, but fake profiles or impersonators can still exist."