Following the news that Twitter admitted it accidentally reset more user passwords than it meant to during a security blitz, Jason Ding, research scientist at Barracuda Labs commented:
“By sending out these notices, Twitter may have committed a bit of an own goal. Whilst the notices initially left many users perplexed as to whether they were a real request or fake, users are now aware that Twitter will send official password related emails. This doubt will be seized upon by hackers looking to target non-vigilant Twitter users in an attempt to acquire sensitive information through emails, which typically include malicious attachments, or links to spam or phishing websites. Hence perpetuating the issue.
“A common but effective suggestion to avoid phishing attacks and identify genuine emails is to always make sure the senders and links in the email are matching the indentified domains; in many cases, manually type the URL in the browser before clicking.”