Brand Protection Dmarc as a Service Email Authentication

How the Twitter Check Mark Fiasco Highlights the Importance of Email Authentication

Twitter is learning the hard way what email has known for years: allowing impersonation puts companies, reputation, information, and even finances at risk.

In early November 2022, Twitter announced a new subscription service that allows users to gain a blue verification check mark by paying for a subscription to keep the check by their username in the app. Since 2009, the check mark was reserved only for users who verified who they said they were, typical verified accounts were politicians, athletes, celebrities, companies, and other well-known entities. 

The original verification system was developed as a way for Twitter to prevent widespread impersonation of high-profile accounts, and it allowed users to determine whether or not the information coming from an account was authentic or not.  

The issue with the new service is that anyone willing to pay for the $7.99 subscription could create a new “verified” Twitter account and begin disseminating misinformation. This exact thing happened within hours of its launch. 

For the most part, the verification change resulted in people creating parody accounts as a way to make jokes, as seen with fake accounts posting about sports:

lebron james twitter screenshot

However, the verification issue can also cause real problems for entities being parodied. Take Eli Lilly and Company for example: on November 10th, a fake verified account tweeted “We are excited to announce insulin is free now.” The announcement was eventually taken down, but not before the tweet was retweeted more than 1,500 times, and liked by more that 10,000 users. 

As a result, Eli Lilly’s stock price dropped from $368 to $346 per share. According to reports at the time, the drop in price erased billions in market cap, and the real Eli Lilly twitter account was forced to tweet a correction:

fake blue check twitter

How does this relate to email?

As you’re probably aware, email has been around for decades, but for the first 30 years or so, nearly anyone could create an email address and impersonate someone else. Email authentication techniques like SPF, DKIM, and DMARC were developed to prevent the damage that can be caused by impersonation. 

By allowing any Twitter users to verify themselves, the company effectively did a reverse email… they’ve allowed actors (whether benign or malicious) to impersonate anyone they wish. While Twitter has subsequently tried to ban parody accounts, damage can continue to be done. 

Twitter is learning the hard way what email has known for years: allowing impersonation puts companies, reputation, information, and even finances at risk.

Twitter had strong anti-impersonation protections. When those got lifted, anyone could get a check mark, and brands were put at risk of the same kind of reputation damage that Eli Lilly experienced. This may feel like a one-off thing happening at Twitter, but it is actually the state of play in email. 

In just the past 5 years, the FBI has reported $43 billion dollars in losses due to business email compromise (BEC). Thankfully, with email, there are strong ways to assert your identity so that you cannot be impersonated. This is where Valimail shines.

The importance of authentication

Email is the backbone of nearly all business communications. As its importance grew, there was a real need to prevent bad actors from impersonating emails from domains that aren’t their own. In the email world, this is referred to as spoofing, and attempting to gain valuable information from recipients is called phishing

If you’re worried about your brand and are scared by what you’re seeing at Twitter, you should be even more concerned about email. With Twitter, we have to wait to see where business decisions take those programs. But for email, which is built on open standards, there’s good news today. 

Brands without DMARC are attacked at 4-5x the rate of those with DMARC, because attackers prefer softer targets. DMARC prevents exact-domain spoofing. Valimail was built on the premise that email authentication is not just for the top 1% of domains, but should be available for all. To deliver on that premise, we’re taking the position that visibility should be free — and enforcement should be done in a cost- and time-efficient manner. 

Get started with Valimail Monitor for visibility into who’s trying to impersonate you, and then work with us to stamp that impersonation out.