In the last week, I have had 3 twitter DMs attempting to phish.
Hey, check out this picture of you [deleted link]
Just seen this discussion criticising a post of yours, check it out [deleted link]
In both cases the [deleted link] was a shortened URL.
Curious as to where it would take me, I carefully copied the URL into a sandboxed environment anc checked it out.
In all three cases it went to web page that was a convincing mock up of the Twitter logon page, inviting me to add my username and password. I declined.
On a PC the fake page is easy to spot, as the URL in the title bar was something other than https://twitter.com/. However, if you use a tablet device (iPad/Android), where the browser built-in to the twitter app kindly hides the address bar, to save screen real-estate, it is harder to spot. If unsure (and decide not heed the advice not to clink the link at all) use the “Open in Browser” option, so you can see the full address prior to entering any details.
It would be very easy to be fooled by DM phising attack such as this, especially on a table device, leaking by username and password to the phisher. Please be wary. Please make your twitter friends aware of this.