Article

The X Phishing Scam Targeting Founders and Creators Right Now

Erdeniz Korkmaz
3 min read
The X Phishing Scam Targeting Founders and Creators Right Now

A phishing campaign is doing the rounds right now, and it's good enough that Paul Graham posted a screenshot on X with the caption "Looks legit." If that name is familiar to you, that's exactly the point.

The campaign targets X accounts with more than ten thousand followers, and accounts with desirable usernames. In other words, it targets the kind of accounts that founders, product teams, and public-facing professionals are likely to hold. The emails impersonate X support: they reference nonexistent ticket numbers, cite fabricated policy violations, and create urgency around your account being limited. Click the button to resolve it. You know the format.

Except this time, the execution is clean. Professional formatting, specific-sounding language, a plausible reason to panic. There's no obvious tell in the wording. The only thing between you and handing over your credentials is taking five seconds to scrutinise the sender address before clicking.

Why this matters for product teams

Your company X account isn't just a social media presence. For a lot of the founders and product teams we work with, it's where product updates go out, where you field support questions in public, where you build credibility over years. Losing control of it is an operational problem, not just an embarrassing one.

The damage ranges from embarrassing (nonsense posted under your brand) to genuinely harmful (using your trusted reputation to scam your followers). And if the account belongs to your founders personally, the harm is reputational in ways that are hard to recover from.

What makes this campaign worth paying attention to is the targeting. Over ten thousand followers, or a valuable username, means it's specifically after accounts that have built something worth stealing. Your company account, your lead engineer's account, your founders' accounts: if they've been around a few years and built any kind of presence, they qualify.

What you should actually do

Hardware security keys, not SMS codes, for two-factor authentication on every account that matters to your business. SMS 2FA can be bypassed through SIM-swapping attacks. A physical key can't be phished.

Your company's social media accounts should have a documented access list, reviewed the same way you'd review production access. Who has credentials? When did you last check that list? If the answer is "I'm not sure," that's the answer you're looking for.

And build the cultural habit now: urgency in an email is a red flag, not a call to action. "Your account will be limited if you don't act immediately" is precisely designed to bypass your common sense. The five-second pause is the defence.

Where Dakik comes in

At Dakik, we build web and mobile products for founders and product teams, and security runs through everything we ship: auth flows, admin access, session management, role-based controls. These decisions matter from day one, not as a bolt-on later.

We also build custom tooling on top of LLMs, and one increasingly practical application is monitoring and anomaly detection. An agent that watches for unusual login attempts across your digital assets, screens communications for social engineering patterns, or flags credential-stuffing attempts against your users is well within reach. Not a strategy document, but a running integration that sits in your stack and does something useful.

If you're building a new product, we can help you get the security layer right from the start. If you've got an existing product that has outgrown its early security decisions, we can help catch that up too. Either way, the conversation starts with what you're actually trying to protect.

Your X account, your email domain, your GitHub org, your brand: these are real assets with real value attached. The people targeting them already know that.

Share