Phishing Scams on X (Twitter)
Fraudulent DMs and posts on X direct users to fake login pages and malicious sites disguised as legitimate resources.
Part of: Phishing
Last reviewed: 1 June 2026
X is used as a phishing delivery channel in multiple ways: direct messages containing malicious links, replies to popular posts embedding phishing URLs, and fake 'help' accounts responding to users reporting issues with services. Because X users expect to click links within the platform, they may be less guarded than when receiving an unsolicited email.
Shortened URLs within X posts compound the risk — it is impossible to see the destination URL until after the click, and several redirect layers can be used to route through legitimate domains before arriving at the malicious page.
How this scam works on X (Twitter)
A common pattern involves fake X support accounts DMing users who have publicly complained about the platform or a service, directing them to a 'verification portal' to resolve their issue. The portal captures the user's X credentials, allowing account takeover. Another approach posts replies under high-traffic news tweets with links to 'full articles' or 'breaking news' that are actually credential-harvesting pages.
X-based phishing also targets users of crypto and banking services: replies under official bank or exchange posts direct complainants to fake 'customer support' sites.
Common red flags
- DM from any account directing you to log in to X or another service via a link
- Reply under a popular post with a link described as 'more info' or 'full story'
- Fake support account responding to your public complaint with a link to a portal
- Shortened URL that cannot be previewed before clicking
- Page reached via X link that requests credentials or personal information
How to protect yourself
- Access X and connected services directly through bookmarks, not via links in DMs or replies
- Enable MFA on your X account so stolen passwords alone cannot grant access
- Use a browser extension that expands shortened URLs before clicking
- Report suspicious DMs and replies to X before clicking any links they contain
How to report it
- Report phishing DMs and posts to X using the in-platform report function
- Forward phishing URLs to your national cyber authority
- Change your X password immediately if you entered credentials on a suspicious page
Frequently asked questions
How can I preview a shortened URL before clicking?
Several browser extensions and web services expand shortened URLs so you can see the destination before visiting. You can also paste the short URL into an expansion service such as a URL-unshortener website to check the real destination.