What is Twishing?

Twishing is a phishing attack carried out through Twitter/X, where cybercriminals use fake accounts, malicious links, direct messages, or impersonation tactics to steal sensitive information. The term combines “Twitter” and “phishing.” Attackers often pose as brands, customer support agents, or verified users to trick victims into revealing credentials, payment details, MFA codes, or corporate login information.
For IT teams, twishing is dangerous because it exploits trust in social media interactions and bypasses many traditional email-focused phishing defenses.

How does a Twishing attack work?

A typical twishing attack follows a simple pattern:

• The attacker creates a fake or compromised Twitter/X account.
• The account impersonates a trusted brand, executive, or customer support profile.
• Victims receive:
  • Direct messages containing malicious links
  • Fake giveaway campaigns
  • Fraudulent customer support replies
  • Login pages disguised as legitimate websites
• The attacker steals:
  • Login credentials
  • MFA verification codes
  • Financial information
  • Corporate account access

Unlike traditional email phishing, twishing relies on social media engagement and real-time interaction, making scams appear more authentic and difficult for users to identify quickly.

Why is Twishing difficult to stop?

Twishing attacks exploit urgency, trust, and public engagement. Attackers frequently target users through replies to trending posts or customer complaints, increasing visibility and making fraudulent accounts appear credible.
Common twishing tactics include:

Modern hybrid work environments increase exposure because employees regularly access business applications, social media accounts, and collaboration tools from personal mobile devices.

Twishing prevention strategies for enterprises

Organizations can reduce twishing risks with layered security controls and employee awareness programs.
Recommended security measures include:

• Enforce social media security awareness training
• Enable MFA for corporate accounts
• Monitor brand impersonation attempts
• Restrict risky third-party app permissions
• Block malicious URLs and phishing domains
• Train employees to verify support accounts independently

Enterprises should also implement endpoint management policies that secure mobile devices used for work-related communication and account access.

Hexnode Pro Tip:

Hexnode UEM helps enterprises manage corporate and BYOD devices from a centralized console. IT teams can configure compliance policies, manage applications, apply device restrictions, and use web content filtering to block or allow specific URLs on supported devices.
For organizations handling sensitive business data, unified endpoint management helps enforce device, app, compliance, and web access controls across managed endpoints. These controls are especially useful in remote and hybrid work environments where employees frequently interact with corporate services through mobile devices and social platforms.

Key takeaway:

Twishing succeeds when attackers exploit trust on social media platforms, making user awareness, account protection, and endpoint security essential for enterprise defense.

FAQ

• What is the difference between phishing and twishing?
  Phishing is a broad cyberattack method using email, websites, texts, or social platforms, while twishing specifically refers to phishing attacks conducted through Twitter/X.
• Can MFA stop twishing attacks?
  Not always. Attackers can still trick users into entering MFA codes on fake login pages or fraudulent verification prompts.
  To strengthen endpoint security and improve device management, explore Hexnode’s unified endpoint management capabilities and learn more about features such as compliance policies, web content filtering, app management, and supported security integrations.