How Twitter users can fake a verified account – and how you can tell the difference

Graham Cluley
Graham Cluley
@[email protected]

Twitter verified badgeVerified accounts on Twitter can help you tell the difference between a real celebrity’s account, and those of imposters and over-enthusiastic fans.

In this way, you can tell the real @britneyspears apart from the likes of @britney_spears and @britneyspear.

A reader got in touch this morning asking us how on earth a fictional character (Percy Jackson) had managed to get his Twitter account verified:

“How is an RP account verified by Twitter?”

We took a look, and sure enough there’s a blue verified badge beside @PerseusJackscn‘s name.

Percy Jackson Twitter account, apparently verified

Has Twitter messed up, and erroneously marked an account as verified?

After all, they don’t have an unblemished record in this regard. Who can forget when it appeared as though Rupert Murdoch’s wife Wendi Deng appeared to be flirting with Ricky Gervais on Twitter from a verified account?

In this case, however, the verified badge is bogus. Our reader was duped by a simple trick.

Here’s how it works.

Preview of verified account on TwitterWhen Twitter first introduced Verified Accounts in mid-2009, Twitter looked somewhat different.

In the old days, your bio (including your Verified badge if had one) were displayed in the top-right hand corner. No header images.

Header images are the recently-introduced (and somewhat inflexible) graphics that you can shove behind your Twitter bio, and that users will see if they visit your account on the Twitter website.

In Percy Jackson’s example, as you can see above, his header image includes a silhouette of a winged horse.

Sign up to our free newsletter.
Security news, advice, and tips.

Or in Barack Obama‘s case, a picture of adoring supporters can be seen on his verified account:

Barack Obama, verified on Twitter

On casual inspection, you may not notice any difference between the verified status of Percy and Barack’s Twitter accounts.

However, the truth is that Percy has taken advantage of Twitter’s header image facility – and simply cut-and-paste a Twitter verified badge image onto his background.

Twitter users who visit his account will assume, as our reader did, that his account is verified.

So, how can you tell the difference between a fake verified Twitter account and the real deal?

Simply hover your mouse over the Twitter badge. If it’s really a verified account, a tool-tip will pop-up confirming that the account has been verified by Twitter’s team.

Here you can see exactly that on Barack Obama’s account.

Barack Obama - truly verified on Twitter

If, however, no message pops up you can be pretty certain that the badge is only there because it has been incorporated into the user’s header image.

It would be good if Twitter could rethink its presentation of verified accounts, and not depend on the existence of an image displayed over a header graphic that can be easily altered by users.

There’s no suggestion that whoever is behind the Percy Jackson account has any malicious intent, but clearly the current way Twitter presents verified accounts could be exploited by those with mischief in mind.

If you want to keep informed about the latest security issues, feel free to follow me on Twitter.

I’m @gcluley. The account is not verified, but I could easily change my header image to make it look as though I am.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.