Written by Caleb Swadley

Last month 17-year-old Graham Ivan Clark hacked into Twitter accounts belonging to Elon Musk, Uber, Barack Obama, Bill Gates, Joe Biden, and several other high-profile accounts. The hacker used these accounts to present a Bitcoin scam to millions of people. These verified accounts were advertising that if readers sent them $1000 in Bitcoin, they would double your money. Personal direct message inboxes were also accessed by the hacker. Around 130 accounts were hacked in total and the teenager netted $180,000 in Bitcoin as a result. The 17-year-old mastermind and his two accomplices now face over 30 felony charges.

Mr. Clark was able to hack into one of the largest social media companies in the world without infiltrating their network through code or using other sophisticated techniques. Social engineering, specifically spear phishing, was used to trick Twitter employees into giving him their credentials. Mr. Clark then used those credentials to access other accounts which gave him access to Twitter systems. Spear phishing occurs when a bad actor carefully targets certain individuals, usually via email, and gains valuable information from their reply.

According to a report produced by Symantec in 2018, 71% of all targeted attacks involved spear phishing emails. Check Point Research found that 64% of all organizations experienced a phishing attack in 2018. Although it is important for an organization to maintain a secure technology infrastructure, these examples show that human susceptibility is often the greatest threat.

It is crucial for you to become informed and remain mindful of these types of threats. A phishing scam can jeopardize your personal information, your family or your entire organization. Here are a few tips to help identify and avoid phishing attempts.

  1. Check the sender’s name AND email address. Pay close attention to the domain in the sender’s address. This is often misspelled (e.g. outtlook.com) in order to “spoof” the email without triggering a protective filter.
  2. Look for grammatical mistakes and spelling errors. Impersonators typically have trouble crafting a well written email. Spell checkers have helped eliminate some errors, but grammatical mistakes are still common.
  3. Often there is a strange sense of urgency, secrecy or ambiguity. If a supervisor has a random, urgent task for you they will likely call and explain the situation – not send a poorly written email. If you have doubts, it is always okay to reach out to the sender by phone or in person to legitimize the email and get more context.
  4. Finally, phishing and malicious emails frequently contain links or attachments. Always use caution before opening an attachment or clicking a link in an email if it was not expected.