At the end in August, Sean Murphy attempted to book a flight between Nairobi, Kenya, and Entebbe, Uganda, with Kenya Airways. “The information on the booking page was ambiguous,” said Murphy, the co-founder of Web3 company ImpactScope. So he sent a quick direct message to the verified Kenya Airways account on Twitter, asking to confirm the baggage allowance for the flight. A day later, when the account didn’t answer, he sent the company a public tweet reminding it of the question. Then the answers began.
Within minutes, multiple Twitter accounts claiming to be Kenya Airways tweeted him. They all offered help, but none of them seemed official. The accounts used the Kenya Airways logo and slogan, but clicking their profile raised red flags. “Most of their posts were well-crafted,” Murphy says. “However, the low follower count coupled with the misspellings or odd choice of characters in their actual Twitter handles was the main giveaway.” The accounts include “@_1KenyaAirways” and “@kenyaairways23.”
It’s now easier for Twitter accounts to officially show up. In the chaotic days since Elon Musk completed his $44 billion takeover of Twitter and then laid off thousands of employees, the social network has revamped the way its account verification works. The new Twitter Blue plan, which has been rolled out for some users, will allow anyone to pay $8 a month and get a blue check mark that indicates they’ve been “verified.” The check mark appears almost immediately as soon as someone piles up the money, and no questions are asked – people don’t have to prove their identity.
The verification symbol is a big difference with Twitter’s Past Approach to Verification when only accounts of brands, public figures and governments got blue check marks next to their names. In all those cases, the verification was approved by Twitter employees. The new verification process – or lack thereof – will likely make it easier for scammers, cybercriminals and disinformation sellers to hone their craft and appear legit.
“Cybercriminals very easily use social media as the perfect tool to attack unknown victims, but when there is no clear and honest way to verify identities, you open a path to impersonated accounts, which will undoubtedly be exploited by threat actors in the search . of a scam,” said Jake Moore, global cybersecurity advisor at security firm ESET.
Things are already messy. Right after Twitter Blue’s verification started rolling out, accounts masquerading as people and brands started popping up. Some people seemed to be testing the system; others caused problems. In some cases, new accounts were used, and in others, years-old Twitter accounts had been converted to blue-tick status. An account called Nintendo of America (handle: @nIntendoofus) tweeted a photo of Mario giving people the finger. Apple TV+ laundry imitated together with gaming company Valve, Donald Trump and basketball star LeBron James. A post from an account masquerading as an ESPN analyst got more than 10,000 engagements before it was taken down, fact-checking organization Snopes reported. The account had “NOT” in the handle and the bio described it as a parody. Since yesterday, amid a wave of impersonation accounts, Twitter had paused to allow new accounts to purchase verification.