PSA: Beware of X 'Content Issue' email phishing scam

Watch out for fake emails claiming to be from X. A clever phishing scam is making the rounds, trying to trick users into giving up their account details. This isn’t your average spam. These emails are sneaking past filters, even landing in Gmail inboxes, which might make you lower your guard.

The scam, broken down by Guillermo Rauch on X, often starts with an email alert about a supposed “content issue” or copyright violation related to your posts. It looks convincingly like an official message from X, sometimes even using your specific username. Scammers put effort into making the sender address look real, using addresses like help...law-x.com, hoping you won’t notice the subtle dash replacing a dot.

If you hover over the action button or link in the email, you might see something else tricky. Instead of linking directly to a dodgy site, they often use Google’s cdn.ampproject.org. This makes the link seem safer because it uses a legitimate Google domain, but it’s just a redirect hiding the real phishing website. This helps them bypass spam detection and adds another layer of disguise.

Clicking the link takes you to a webpage designed to look exactly like an official X page. It might ask you to log in to resolve the supposed content issue. Some reports even mention these fake pages display the target’s profile picture, making it feel personalized and more believable.

Here’s the really sneaky part. Even if you have two-factor authentication (2FA) enabled, you’re not automatically safe. After you enter your password on the fake site, the scammers immediately try logging into your actual X account. When X asks for the 2FA code, the phishing site then prompts you for it. If you enter the code, you hand the attackers everything they need to take over your account.

Rauch believes this campaign might be run by the same group, possibly based in Turkey, that has hacked high-profile X accounts before. Their main goal seems to be hijacking accounts, especially those with many followers, to promote cryptocurrency scams. Similar tactics involving fake login notices or copyright claims have been used in past attacks targeting politicians, journalists, and tech figures.

To protect yourself, always be cautious with emails asking for login details. Check the sender’s full email address carefully. Hover over links to see the actual destination URL before clicking. Use a strong, unique password for X and enable 2FA. Most importantly, if you need to check account notices or change settings, go directly to the official X website or app yourself instead of clicking links in emails. Stay alert to keep your account secure.