At the end of August, Sean Murphy was trying to book a flight between Nairobi, Kenya, and Entebbe, Uganda, with Kenya Airways. “The information on the booking page was ambiguous,” says Murphy, the cofounder of Web3 company ImpactScope. So he fired off a quick direct message to the verified Kenya Airways account on Twitter, asking it to confirm baggage allowances for the flight. A day later, when the account didn’t reply, he sent the company a public tweet reminding it about the question. Then the replies started.
Within minutes, multiple Twitter accounts claiming to be Kenya Airways tweeted him. All of them offered help, but none of them appeared official. The accounts used Kenya Airways’ logo and slogan, but clicking on their profiles raised red flags. “Most of their messages were well crafted,” Murphy says. “However, the low number of followers coupled with the spelling errors or odd choice of characters in their actual Twitter handles was the main giveaway.” The accounts included “@_1KenyaAirways” and “@kenyaairways23.”
It’s now easier for Twitter accounts to appear official. In the chaotic days since Elon Musk completed his $44 billion takeover of Twitter and subsequently fired thousands of staff, the social network has revamped how its account verification works. The new Twitter Blue subscription, which has started rolling out to some users, allows anyone to pay $8 per month and get a blue check mark showing they are “verified.” The tick appears almost instantly once someone stumps up the cash, and no questions are asked—people do not have to prove their identity.
The verification symbol is a stark difference from Twitter’s previous approach to verification when only accounts belonging to brands, public figures, and governments were provided with blue ticks next to their name. In all those instances, verification was approved by Twitter staff. The new verification process—or lack of it—is likely to make it easier for scammers, cybercriminals, and peddlers of disinformation to hone their craft and appear legitimate.
“Cybercriminals very easily use social media as the perfect vehicle to target unbeknown victims, but when there is no clear and genuine way to check identities, you open up a path to impersonated accounts, which will no doubt be abused by threat actors in the search of a con,” says Jake Moore, global cybersecurity advisor at security firm ESET.
Things are already messy. Straight after Twitter Blue’s verification started rolling out, accounts impersonating people and brands appeared. Some people appeared to be testing the system; others were causing trouble. In some cases, new accounts were used, and in others, years-old Twitter accounts had been converted to blue-tick status. One account called Nintendo of America (handle: @nIntendoofus) tweeted a picture of Mario giving people the finger. Apple TV+ was impersonated along with gaming firm Valve, Donald Trump, and basketball star LeBron James. A post from an account pretending to be an ESPN analyst gained more than 10,000 engagements before it was deleted, fact-checking organization Snopes reported. The account had “NOT” in its handle, and its bio described it as a parody. As of yesterday, amid a surge of impersonation accounts, Twitter had paused allowing new accounts to purchase verification.
