The Brand Security Implications of Twitter’s New Pay-for-Play Blue Checks

November 17, 2022 | 3 min read

Kevin Diffily

Product Marketing Manager, Risk & Compliance

Kevin calcite

When Elon Musk recently purchased Twitter, he vowed to make the elusive blue check marks that prove a user is “verified” accessible to all — for a small price, that is. For just $7.99 per month, the reported plan was that any user could have their profile “verified” by Twitter and gain the blue check next to their display name.

But since the initiative initially went live, the social media platform perhaps best known as an avenue through which to spread misinformation has been beleaguered by newly “verified” users impersonating government officials, celebrities, and journalists to carry out pranks and post satirical nonsense. While most of these instances appear to be intended to poke fun, the implications for more serious abuse are clear. For example, a tweet impersonating pharmaceutical company Eli Lilly may have led to the company’s stock dropping.

After the rash of impersonation, Twitter paused the pay for verification program. However, many questions about the program remain unanswered.

What happens if a “verified” user sets up an account to mimic a bank or retailer, and sends a DM to potential customers saying they need to confirm their payment information or Personally Identifiable Information (PII)? What happens if an impersonated celebrity with a blue check posts a link for fake concert tickets that redirects the funds into a hacker’s account? What happens if threat actors spread misinformation via a government official’s spoofed account that directs followers to send campaign money to an illegitimate source, or, far worse – incite violence against political opponents?

Twitter user @JackMLawrence tested how viable it is to carry out an attack facilitated by the new verification system. It took him mere minutes to establish the (fake) credentials needed to obtain a blue check mark:

Twitter code

BlueVoyant often warns against the dangers of social media impersonation and social engineering attacks carried out on popular platforms like Twitter, Instagram, LinkedIn, and Reddit. The problem was bad enough before — how easy is it to set up a free account on any of these networks and pretend to be someone you’re not?

There is also the issue of data security, as numerous Twitter security, compliance, and finance executives have now resigned in protest of the new internal policies. The company may be in breach of numerous data privacy regulations, putting user data at risk and potentially compromising its ability to protect the very payment information entered to achieve a blue check in the first place. This could severely impact companies that use Twitter as an advertising platform, in addition to leaving them vulnerable to large-scale phishing campaigns designed to target their followers and users. This comes on the heels of Twitter’s former head of security who said the company was irresponsibly handling user information.

In any event, the extent of this verification issue is currently unclear, as the verification system pause just went into effect, but it will be fascinating to monitor over the coming months.

What can companies do to mitigate the new risks associated with having a Twitter presence? There will be many twists and turns to come as this situation develops, but for now, the best way to minimize brand risk is to gain visibility into the threats that are emerging, and continuously monitor for new profiles that appear to be leveraging company brand assets, imagery, and messaging.

This is where Digital Risk Protection (DRP) comes in. BlueVoyant’s DRP solution detects suspicious social media profiles that appear to be impersonating a brand, validates the threats, alerts the company, and can initiate takedowns via our established relationships with social media platforms like Twitter.

Learn more about how BlueVoyant Sky: Digital Risk Protection can help your company navigate social media impersonations, spoofed web domains, and fraudulent mobile apps designed to trick users into handing over their credentials.

Kevin Diffily is a BlueVoyant Product Marketing Manager, DRP.