1/ Hey friends, let's talk some online safety! Today a scammer made an attempt at making some money off of me and though it wasn't a particularly good attempt, it was targeting queer people specifically and it wasn't no effort

Please RT for education and safety of our loved ones

2/ It was targeted at the queer community at large. This makes me sad since money is often sent around due to the poverty our community faces. I see posts from queer people asking for money daily. I know so many of you are generous. Which is great. But it can be used against us.

3/ In short, I can only assume that the queer community has a high rate of circulation of money. This makes us a viable target for phishing attempts. It seems this was also a bigotry-motivated choice to target the queer community. So let's prevent this.

4/ Let's go through:
* What happened
* How to spot this form of scam
* What enabled this form of scam
* How to prevent this form of scam

5/ What happened:

Yesterday I received a PM from an account that I had only one connection to -- someone I'm mutuals with was following them. The scammer account wasn't following them back. They turned out to be asking for financial aid. Superficially, it seemed believable.

6/ The tone of the scammer was similar to what I'd expect of another queer woman. The scenario wasn't all too unlikely. So I gave them the benefit of the doubt and PM'd my mutual who was following the scammer, asking if they were trustworthy.

7/ My mutual replied that they had been asked the same question by two or three others. The messages were exactly identical. I asked the scammer to send me their PayPal link, and cross-checked with what my mutual had seen.

There were two different PayPal accounts.

8/ So at at this point it was very clear that it was a scam and I decided to have some fun with it and see if it was a poorly run one. Instead of sending them money I sent a request for money. I got an odd reply. The scammer thanked me even though they had declined my request.

9/ I ran the same ruse on the second account they sent and they ran out of patience. My fun was over with a bit of poorly targeted slurs.

10/ Before we move on, let's outline how the scammer operates:

1. Get PayPal accounts. Likely purchased hacked accounts
2. Buy access to real person's hacked twitter account, rebrand it as queer for familiarity

11/
3. Go through a list of related accounts and ask for cash. Likely not people who would know the person who was hacked as this would be too obvious
4. Claim acquired money before accounts are suspended
5. Rinse and repeat

12/ All in all, it's a pretty simple scam, but with its targeting I'd imagine it is relatively effective. The queer community is very generous because we genuinely care for each other. That is beautiful and one of our greatest strengths. Gullibility is the weakness here.

13/ Let's change that. Let me explain how to spot this scam:

The first giveaway was that it was a private message and not a public post. It's minor. But it reduces traceability. On a public post, if someone sniffs the scam out, they'll probably make that known publicly.

14/ I'd also assume that a private message has a higher success rate. It certainly seems more personal. But as you saw, the same message was sent to multiple people. The only personalisation in question was waiting for replies before sending the next message.

15/ I checked out the profile of course, and found a few things sowing doubt. The profile picture included a picture where the supposed person appeared to be participating in a race. And had a name tag with a different name.

16/ I didn't reverse search the image at the time, and doing so afterwards gave no results. Presumably it's either the hacked account owner's real picture, or stolen from Instagram or something.

17/ Reverse image searches turning up blank aren't a de facto indicator of the photo you see being sourced from the person using it, but the opposite is mostly true.

18/ If you reverse image search someone and get a stock photo or someone entirely unrelated having posted it on their social media, that's likely not them (unless they're a stock photo model).

19/ You can perform reverse image searches, i.e. using a picture to search the web, with https://tineye.com  and https://www.google.com/imghp  (click the camera icon in the search bar)

20/ Another thing that made me question this person was the contents of their profile -- they had a lot of retweets and only two posts of their own in the last months, and those were both their most recent. And it was the most generic things you could possibly write.

21/ Their URL was set to https://www.equalityfederation.org/blog/ . But I looked through the site briefly and could not spot them as a staff member.

22/ While nothing of this was solid evidence, it was more than enough for me to do the most crucial part of my investigation:

Communicating with my friend.

If it was someone they knew, even only by following them, they'd be able to vouch for them. But it seemed not.

23/ When in doubt, ask. If someone is reputable, there should be no problem in asking about their trustworthiness. This made it incredibly easy to spot the scam for my friend, who had seen the scammer suggest using multiple different accounts.

24/ Now, two different names wouldn't have to be a problem. Deadnames and PayPal accounts are an iconic duo. But neither account was called S***. And they had no other names in common at all. In fact, one looked Arabic and one looked Spanish.

25/ One of the PayPal accounts even had a picture of someone who looked entirely unlike the person in the Twitter profile picture.

26/ Finally, their @ included the F-slur. Which this scammer seems quite fond of. While I wouldn't say that's a solid bad faith indicator, I would mostly count on androphilic men to use that particular word.

With that, we hopefully know a few things to consider :)

27/ What enabled this scam:

This scam involves multiple actors:
1. The scammer
2. The people who hacked and sold the accounts
3. The people whose accounts were hacked
4. The victims of the scammer

28/ We can't do much about scammers and black hat hackers existing, but we can do our best to avoid becoming part of the last two groups.

29/ How to prevent this form of scam:

Hopefully this thread has taught you how to be vigilant and avoid being scammed. But the people who were hacked could've perhaps avoided being hacked.

30/ Hackers gaining access to established queer users' accounts will lend them believability and increase their chances of success. By improving our security, we can lessen the chances of that happening

31/ So let's not get hacked. But how?

Secure your accounts.

Generally, what you need to access an account is a username/e-mail address and a password. And thus, if they get your password, they can probably access your account.

32/ So to combat this, we can do two things (and we really should do both)

1. Don't lose your password
2. Add another factor to login

33/ Let's start with the password! Most importantly, don't re-use passwords. Why? If you use the same password on two websites and one of the two has really bad security, hackers might be able to hack that website and get your e-mail and password and try it on other sites.

34/ I recall signing up for a lot of sketchy forums as a kid. And I used the same password everywhere. So when one of those forums got hacked and leaked my password, the hackers effectively had my login for every service I used.

35/ But remembering so many different passwords is hard! The solution to this issue is to use a password manager. You keep a database of passwords encrypted with a master key, and then generate unique passwords for every website you sign up to.

36/ So if one website leaks your password, that password cannot be used anywhere else. I personally recommend Bitwarden. KeepassXC is another very good option.

37/ Additionally, you can check if you've been part of any hacks using https://haveibeenpwned.com . Wonderful service!

38/ Back to the solutions -- the other thing you can do to up your security is to add two factor authentication. This will usually be through SMS, an authenticator app, or a hardware token.

39/ I recommend choosing one of the latter two where possible, but any two factor authentication is infinitely better nothing.

40/ Two factor authentication works by securely generating time based tokens. If you steal one, it's only valid for a few minutes before expiring.

41/ To gain access to someone's account that's secured with one, you'd have to both get their password and either get them to send you a code in real time, or steal the secret used to generate the code (which will be very very hard)

42/ And with that, I hope you all have the tools to stay safe, and understand how your digital security affects others. If you have any questions, please ask!

43/ Finally, I'd point out that the scammer has what strikes me as a very /r/T**_D***ld-style of writing. The phrasing "your people" really gets me as a strongly sectarian phrasing.

Unthreaded, for your reading pleasure: https://threadreaderapp.com/thread/1384641151769235462.html