Some interesting research from Malwarebytes Labs.
The first was around verified Twitter accounts receiving direct messages apparently from Twitter which claimed their accounts had been flagged for hate speech. They would then be redirected to a fake Twitter help centre to input their login credentials.
The second was a Discord phishing campaign where people would recieve messages being accsed of sending explicit photos. The message included a link, and if clicked would lead to a QR code. This resulted in the account being taken over by the criminal no good-ers.
The techniques of these phishing attacks vary. Today it may be trying to scare someone with a hate speech takedown or explicit photos, tomorrow it could be, “your NFTs have been stolen” The actual underlying principles remain the same. Try to elicit an emotional response from the victim, scare them into taking action quickly while they are in a panicked state before they have time to compose themselves and think things through.
It’s important for people to remember to take their time. Nothing will ever be so urgent that it can’t wait a few minutes for you to process the information and log into your service directly.
From a technical side, people should enable MFA and also regularly review which 3rd parties have been granted access to their social media accounts.
Javvad Malik 