I felt violated. Just minutes ago, I had stupidly given my @threadreaderapp credentials to a phishing site. And now, they had total control of our Twitter/X account and almost immediately they began tweeting these scammy tweets, suckering the innocent and greedy to buy into their shitcoins:

and I was totally impotent to stop them.

It all started with an annoying email of the type I’d seen before or so I thought:

We have responded to Twitter copyright issues many times before. And so when I was this email, I immediately assumed it was just another of those.

Of course, the email wasn’t really from X at all. I could have known that if I had just been a little more observant in viewing my email headers:

You’ll notice the email was from the domain decisions-x.com which was of course not x.com (even though that’s hard to discern as a casual reader).

And because I was on vacation, trying out my brand new mac, I was totally in the mindset of a casual reader resigned to deal with an annoying copyright issue. So, I made the first mistake by clicking into the email. I was immediately presented with one of our earlier automated tweets, in this case a quotation screenshot service which we had since shut down. The tweet was in Spanish, a foreign language to me despite my 3 months of community college and 2 year of Duolingo training. Lazily, I just assumed it was a legit complaint and made my second mistake by clicking on.

I was then presented with an opportunity to logon. Of course, this was my biggest mistake. I entered the login and password thinking I was logging into X/Twitter, since it was a brand new computer and I hadn’t logged in before.

In actuality, the scammers took what I entered and used those credential to pretend to be me.

I finally got suspicious after I gave the scammers my credentials and they asked for a screenshot of my passport and ID! That seemed very unusual. Initially, I was still thinking maybe X thought I was outside the country and needed extra verification. So, I contacted my partner. But within those mere minutes, the scammers had already logged in to our account and changed the password. My partner in the US asked why I had changed the password and it was only then that it dawned on me that I had been phished.

I am writing all these embarrassing (so stupid!) details in the hope that it’ll save someone else from being phished.

A few practical tips to avoid being fooled like me and what (not) to do if you are phished:

1. Always check your email headers, make sure they are who say they are. But even more important, check where the links lead to. If it lands on an unfamiliar domain, tread very carefully!
   
   Unfortunately, I did not heed this advice myself. In fact, I use a password manager (1Password), and it even prompted saying that it did not know any passwords for this domain (“decisions-x.com”), and still I stupidly manually pasted the password to the phishing site’s form. Don’t do this!

2. Be super suspicious if a site asks for your photo ID or a screenshot of your passport. If I had submitted those, I would have been in even deeper doo doo. Imagine trying to prove that I was the victim, not the scammer - but the scammers can submit my photo id. How would X know who is who?

3. In a way I was fortunate that the scammers immediately used my account to make scammy tweets. That’s the next advice: take screenshots of these malicious behavior to prove you are the victim. In my case, the scammers deleted the tweets in as little as 10 mins, so I was fortunate to have an open tab to take the screenshot above (I don’t really fullly understand the nature of the scam, but apparently it was a crypto rug pull, which sounds like a pump and dump scheme)

4. Once phished, the danger does not stop. Once I realized my account had been stolen, of course, I was totally distraught. Be careful not to let these strong emotions sway your decision-making at this vulnerable moment.
   
   This is not just about uploading your photo IDs. We had to let our users know that those tweets did not come from us and not to fall for the shitcoins. We used a secondary account to tweet this message out. Immediately, we got a ton of replies purporting to be Black Hat folks who could help us. I guess having been scammed, I was marked as extra gullible which attracted even more scum.

5. Most importantly, do heed all those warnings and turn on 2FA (Two Factor Authentication) on your important accounts. We were too lazy to turn that on and the scammers had it turned on us which was what ultimately cost us the control the account. I suggest 1Password’s authenticator as a second factor, because it is relatively painless/effortless and more secure than SMS messaging that has its vulnerabilities. 2FA is really a lot less of a hassle than I imagined it to be.

Gratefully, it still pays to have helpful friends and a really responsive company in Silicon Valley. The head of Twitter Developer Platform acted with urgency and well-beyond professionalism. Acting on Thanksgiving Day itself was beyond my imagination. It was really my Thanksgiving miracle that our account was restored within 24 hours.