Caveat Empclicktwittor

The same machines that help us better target can also hurt us.

Caveat Empclicktwittor is me pretending I remember anything from high school Latin class, but I’m going to loosely translate it as, “beware what you click on Twitter” because it turns out that the same machines that help us better target customers can also hurt us. Nevertheless, I love Twitter. It’s my favorite social media platform. Admittedly, it’s the only social media platform I use, so I may be a bit prejudiced, but fortunately I’m not the “social media person” here at bloomfield knoble, so I don’t have to use any others.

One of my favorite things to do on Twitter is to craft tweets that will generate engagement (likes, retweets, comments, etc.). I get a rush every time I see that little dot next to the Twitter logo on my iPhone. It’s not exactly an obsession, but I will admit that I have annoyed Jeff Carrington, who is the “social media person” here at bloomfield knoble, a bunch of times to learn best practices and methods that improve my chances of generating engagement. However, I know I’m not obsessed, because I don’t troll and I don’t (usually) tweet at autoresponders. I love interacting with people on Twitter and having conversations at 140 characters with people I don’t know perfectly fits my generally anti-social behavior. So if you’re tweeting to me, or even just about a topic I like, it’s not unusual for me to jump in.

Unfortunately, that may be about to change.

I didn’t grow up with social media, but I understand it. I know how to spot clickbait and phishing, where crooks try to trick people into clicking links to malware or sites that steal personal information, is common on Twitter. So as much as I love seeing that dot on my iPhone, I know better than to fall for the obvious. Or, I did. According to Sally Adee, writing in NewScientist, a machine learning system that reads our past tweets to craft personalized traps could make clicking links that show up in my Twitter feed even riskier.

Some criminals take the trouble to tailor their phishing tweets to specific individuals by hand – known as spearphishing. For example, (and it’s been suspended, so I don’t feel like I’m helping out the enemy here), @NatWest_HelpTC was a scam account that responded to anyone tweeting a customer service question at NatWest Bank’s real Twitter account. The imposters direct users to a fake NatWest site in an attempt to harvest bank login details. Success rates for spearphishing are estimated to be around 45%, but it’s also time consuming. Banks shouldn’t count on the difficulty of phishing protecting their customer though – researchers at Baltimore security company Zerofox have shown that spearphishing can be done automatically.

By mining people’s past Twitter activity, their mating learning system first hunts down a target. It looks for high-profile or well-connected users – such as those who list a job title like recruiter or CEO in their profile – and people who are particularly active. Zerofox’s Philip Tully says they also targeted people by looking at the hashtags they used in their tweets, as well as what the person likes to retweet and the times they are most likely to be using Twitter. Using this information, the algorithm generates tweets that the individual is likely to click on – and behold, personalized clickbait.

The team tested the system on 90 people and managed to trick more than two-thirds of them into clicking the link. The team thinks that the approach could reach far more people with a greater success rate than handcrafted approaches. They also say the system would work on other social media sites, including Facebook. the work was presented at the Black Hat conference in Las Vegas last month. But it’s not just about clicks. A recent study from Columbia University found that 60% of people don’t click or read the links they retweet. Tully says that’s a boon for the technique his team is warning about – no look retweeters are effectively laundering the scam tweets, giving them a sense of legitimacy and making it more likely that others will click.

Avoiding the trap isn’t always easy, but keep your operating system up-to-date; have a virus-protection program running on your system, and – especially if you are reaching out to customer service – only click on links offered from the verified account. As an agency heavily involved in social media advertising, we are very careful to avoid content that sounds like clickbait. While we would love to get a 45% success rate, we try to mitigate the potential fury of customers on social media that fall for scams. Unfortunately, like in the case of NatWest, it’s hard and spearphishing attacks have plagued them – and others – as long as Twitter has been around.