NHS boss's Twitter accounts hacked by PS5 scammers

  • Published
Helen BevanImage source, Helen Bevan
Image caption,

Helen Bevan's professional Twitter account has nearly 100,000 followers

NHS executive Helen Bevan had her two Twitter accounts, with nearly 140,000 followers, stolen by hackers and used to promote fake PlayStation 5 sales.

She now has the accounts back but has received dozens of messages from people who fell for the scam.

Ms Bevan also paid money to someone who said they could help - but they turned out to be a scammer too.

She said she wanted to highlight the importance of extra security measures.

NHS Horizons chief transformation officer Ms Bevan mistakenly thought she had activated two-factor authentication (2FA), which requires account-holders to use two methods to log in, the second often involving a code sent by text or email.

However providing those contact details does not automatically activate 2FA, so the hackers were able to simply change the email address and phone number she had linked to the accounts once they had cracked her password.

One was a professional account with 97,000 followers discussing Ms Bevan's work, and the other one was about her cat, a local "celebrity", which was followed by 36,000 people. The hackers deleted all of her original tweets, unfollowed the people she was following, and renamed the accounts.

Image source, Twitter
Image caption,

The rebranded account, which has now been returned to normal

It happened the day before Ms Bevan was due to lead an online event for thousands of people, and she had encouraged her audience to use Twitter as their discussion tool.

Facing this pressure, she felt panicked that her own account was not under her control.

"I was the social media heartbeat of this event, I didn't know what to do," she said.

"Someone said, 'You have a basic choice, you can wait for Twitter to give your account back or you can find someone to help you.'"

As her friends and network were tweeting about the hack, offers of help flooded in and she chose someone who promised to have the accounts back within 25 minutes in return for a fee of £110.

"I don't think he did anything, he kept sending me films of computer files whirring, saying this is me doing your work," she said.

"Then he said he had got it back, but Twitter had changed the verification and he needed an extra $100, then he wanted a service charge… they prey on desperate people."

She did not pay anything further and accepts that the money she handed over is lost.

After two days, Twitter itself restored the accounts for her.

When she accessed them, she found dozens of direct messages from people asking about PlayStation 5 orders.

Image source, Sony
Image caption,

The PS5 is in high demand

She says she has no idea how many fake sales were generated by the scammers but the PS5s were being advertised at upwards of $450 (£320).

"They were following Walmart, Dixons, PC World, Target," she said.

"They would wait for them to tweet about PS5s and then reply, saying we've got PS5s in stock now, DM [direct message] me."

There were also Fleets - temporary Twitter posts - featuring photos of PlayStation boxes.

Ms Bevan later had to explain to all who messaged her, having paid for games consoles, that she was also a victim of the scam.

She said she wanted to share her story as a warning to others.

"There are things I now know that I wish I'd known - everybody should have two-factor authentication, it's absolutely critical that you put that on," she said.

"Also, under no circumstances, even if you're desperate, do not go to one of these services that claim they'll get your account back in 30 minutes and stuff - I think they're likely to be a scammer.

"The only thing you can do is go through Twitter. Do it one step at a time."

Lisa Forte, from Red Goat Cyber Security, said having all the security settings enabled on all social media accounts is "absolutely essential".

"This means using a complex and long password, turning on two-factor authentication and, in the case of Twitter, enabling the password-reset protection setting," she said. "Attackers are looking for easy targets. They have amazing eco-systems of businesses that allow them to take over your account, lock you out and then charge you to gain access back again."