AI Quick Answer

The Twitter/X blue verification scam impersonates X Premium billing or X support. The two main vectors are a fake renewal email ("Your X Premium subscription is suspended", "Confirm your blue check renewal", "Re-verify your account") and an in-platform DM from an impersonator handle like "@SupportTeam" or "@XHelpCenter". Both steer the victim to a lookalike domain such as twitter-secure[.]net, x-premium[.]help, or x-verify[.]co. The page collects X login credentials, 2FA codes, and payment card data. Real X never emails users from non-x.com domains, never DMs about subscription status, and never asks for passwords or 2FA codes outside the X login page at x.com. Verification status is managed inside the X app under Settings, Premium. Recovery if you clicked: change the X password, revoke all sessions and connected apps, enable authenticator-app 2FA, dispute the card charge, and file with the FBI IC3.

Why X verification became a phishing magnet

Before 2022, the blue check on Twitter was a free editorial trust signal. You could not buy it, and Twitter never emailed you about it. The reflex "Twitter does not charge for verification" used to be a near-perfect defense against this category of phish.

That defense broke when X moved verification into a paid subscription. X Premium is a recurring charge that can be canceled and can fail to renew on a dead card. The platform now has a legitimate billing relationship with millions of users and sends legitimate billing emails. Once the official path includes phrases like "your subscription will renew on", "payment failed", and "update your billing information", any clone email asking the same things stops looking absurd. The X Help Center has published explicit guidance warning that scammers exploit this transition, and X's @Safety account periodically reposts reminders about verification-themed phishing.

Two further amplifiers make the scam efficient. The audience is huge: X reports more than 600 million monthly active users, with the Premium subset in the millions. And the loss is visible. A canceled blue check is publicly visible on the account, so the urgency framing ("your badge will be removed in 24 hours") feels concrete in a way other billing scams do not.

How the X verification phishing flow actually works

The campaigns come in two delivery channels with shared payload structure. Channel one is the renewal email. Channel two is the in-platform DM impersonator. Some operators run both at once against the same target.

Channel one: the fake renewal email

The message arrives from a sender that looks like "X Premium Billing", "X Support", "Twitter Verification Team", or just "X". The display name says one thing; the actual sending address says another, usually billing@x-premium-support[.]com, noreply@xverify-mail[.]net, or a Gmail address dressed up with the X logo in the signature.

The subject lines rotate through a small set: "Your X Premium subscription is suspended", "Action required: confirm your blue check renewal", "Your verification badge will be removed in 24 hours", "Payment failed: update your billing to keep Premium active", "Re-verify your X account", and "Final notice: blue check pending cancellation".

The body mimics X's transactional email styling: the X logo at top, a white card on light grey background, a single primary call-to-action button labelled "Update billing", "Renew now", or "Re-verify account". The button does not point to x.com. It points to a lookalike domain. The lookalike page is a near-perfect clone of the X login screen. The form posts username and password to the attacker's server, then shows a fake "Update your payment method" step that captures card number, expiry, CVV, and billing address. Some variants prompt for the 2FA code right after the password and relay it in real time to the real X login on the back end. Within minutes the attacker has a working session, card details, and often the recovery email needed to take over the account.

Channel two: the "@SupportTeam" DM impersonator

The second flow runs entirely inside X. A reply or DM lands from an account with a name like "@SupportTeam", "@XHelpCenter", "@X_Verification", "@PremiumSupport", or "@SafetyTeam_X". The profile picture is the X logo or an X-branded support avatar. Some impersonators carry a blue check because they bought X Premium themselves. The Premium check is a $8 monthly subscription badge, not an identity verification, and that distinction is the crux of the trick.

The DM opens with a tailored hook. If you posted publicly that your account is having issues, the DM cites that exact issue. If you have a verified badge, the DM tells you your subscription failed to renew. If you do not have one, the DM offers free legacy verification under a fake "creator program". X's Trust and Safety policies list impersonation as a top-volume violation, and X's @Safety account has repeatedly stated that real X support does not DM users to resolve account issues. The official support channel is help.x.com, accessed by typing it manually or via the in-app Help menu, not through any DM link.

The lookalike domain catalogue in active 2026 rotation

Several domain families show up across the renewal-email and DM-impersonator campaigns. Pattern-matching them is faster than memorising every variant.

  • twitter-* prefixes: twitter-secure[.]net, twitter-support[.]help, twitter-verify[.]co, twitter-billing[.]com. The legacy brand name still works as a lure post-rebrand.
  • x-* prefixes: x-premium[.]help, x-verify[.]co, x-support[.]net, x-billing[.]info, x-account-help[.]com.
  • *-x suffixes: premium-x[.]net, verify-x[.]com, support-x[.]help. The "x" floats around the keyword in any position.
  • Help-themed TLDs: .help, .support, .live, .info, .co, .net. Cheap, instantly available, and service-flavoured.
  • Subdomain laundering: x-premium.suspended-account[.]help, billing.x-verify[.]co. The real registrable domain is buried under a subdomain that loudly reads "x-premium", which is what mobile users see.
  • Free-hosting platforms: pages.dev, web.app, netlify.app, vercel.app, wixsite.com, carrd.co. Lookalike form on a legitimate subdomain keeps the URL short and the certificate genuine.
  • Cyrillic and Punycode homographs: a Cyrillic small-letter "x" or similar character substituted in the brand name. Address bar may show x.com while the resolved Punycode is different.

None of these belongs to X. X's verification, billing, and help surfaces live on three domains only: x.com, help.x.com, and twitter.com (the legacy redirect). Anything else is not X infrastructure.

Phishing templates seen in 2026

These four template variants account for the majority of X verification phish we have catalogued through our brand-impersonation research feed and from FTC and FBI IC3 social media fraud advisories in 2024 and 2025.

Template A: payment-failed urgency

"Hi @username, we tried to renew your X Premium subscription but the payment was declined. Your verified badge will be removed within 24 hours unless billing is updated. Renew now: [lookalike link]". Urgency is the trigger; the link captures login and card in one form.

Template B: re-verify your account

"To comply with updated platform policies, all verified accounts must re-confirm their identity within 48 hours. Failure to re-verify will result in badge removal. Begin re-verification: [lookalike link]". The policy framing makes the demand sound regulatory, not commercial.

Template C: free legacy verification reinstated

"As part of X's 2026 creator program, your account has been pre-selected for free verification. Complete eligibility confirmation within 24 hours to receive your blue badge at no cost. Apply here: [lookalike link]". The aspirational hook works on accounts without a blue check; the "eligibility application" collects credentials.

Template D: copyright or community-standards strike

"Your X account has been flagged for a copyright violation report. Verified status and account access will be suspended within 24 hours unless you appeal through the official form. Appeal: [lookalike link]". High pressure, aimed at creators and brand accounts. The appeal form is a credential phish wearing a copyright-appeal mask.

How to recognise real X support and billing

X's official help center is help.x.com. Subscription management lives inside the X app at Settings, Premium, which shows the renewal date, payment method, and cancellation status without any link from any email. X transactional emails come from @x.com and @e.x.com sender domains only.

X never DMs users to resolve billing, verification, or account status issues. X never asks for your password, 2FA code, or recovery email outside the login page on x.com. Any third-party page that prompts for these is phishing regardless of how convincing the design is.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1, Local detection: 60+ URL patterns and 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants for "x" and "twitter") plus community whitelist and blacklist, all running directly in the extension before the page renders. Catches the twitter-* and x-* lookalike domain family, the help-themed TLD pattern (twitter-secure[.]net, x-premium[.]help, x-verify[.]co), and the free-hosting subdomain pattern (something.pages.dev / .web.app / .netlify.app pretending to be X login) instantly.
  • Layer 2, API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam-TLD signals for known malicious domains.
  • Layer 3, AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds by recognising X login UI and X Premium billing copy served from anything that is not x.com, help.x.com, or twitter.com.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

Recovery playbook if you already entered credentials or card data

The window between submission and account takeover is typically under fifteen minutes. The window before card data is charged or sold is usually under an hour. Treat the next sixty minutes as the recovery window.

  1. Change your X password immediately. Type x.com manually. Settings, Security and account access, Change password. Use a long unique password. If you cannot log in because the attacker has already changed the password, go to step 4.
  2. Enable authenticator-app 2FA. Settings, Security and account access, Two-factor authentication. Choose Authentication app, not SMS. SMS 2FA is bypassable via SIM swap, and an authenticator-app token cannot be relayed by a real-time phishing proxy.
  3. Revoke all active sessions and connected apps. Settings, Security and account access, Apps and sessions. Log out every session you do not recognise and revoke every app with access. Attackers chain X access into linked services.
  4. If you cannot log in, file an account-recovery request. Type help.x.com manually. Use the "I can't log in" flow. Recovery can take 24 hours to several weeks; the queue is order-of-arrival.
  5. Dispute the card charge. Call your card issuer. Report the transaction as fraud, request a new card, and ask the issuer to block the merchant ID. Chargeback windows are usually 60 to 120 days on Visa, Mastercard, and Amex.
  6. Change your recovery email password too. Attackers pivot from X credentials into the linked email to suppress security alerts. Change the email password, enable authenticator-app 2FA on it, and review recent activity.
  7. File a report with FBI IC3 and FTC. ic3.gov and reportfraud.ftc.gov. Include the phishing URL, sender email or DM handle, screenshots, card amount, and timestamps. FBI IC3 2024 social media fraud reporting covers verification and subscription scams directly.
  8. Report the impersonator to X. Three dots on the profile, Report account, Impersonation. For the lookalike domain, report the URL through help.x.com under the phishing report flow.

Protection guide: X security settings worth turning on now

Five account-level changes cut the success rate of verification phishing to near zero.

  1. Authenticator-app 2FA, not SMS. Settings, Security and account access, Two-factor authentication. SMS 2FA can be SIM-swapped or relayed through a real-time phishing proxy. An authenticator app rotates the code locally and never leaves your device.
  2. Hardware security key for Premium accounts. Register a YubiKey, Google Titan, or passkey under the same 2FA menu. Hardware keys are phishing-resistant by protocol design; the lookalike domain cannot complete the challenge.
  3. Filter DMs from non-followers. Settings, Privacy and safety, Direct messages. Turn off "Allow message requests from everyone" and turn on "Filter low-quality messages". Routes impersonator DMs into the request folder.
  4. Lock down email recovery. Set a unique password and authenticator-app 2FA on the email tied to your X account. Most X account takeovers escalate by hijacking the recovery email first.
  5. Install a browser-layer phishing scanner. The lookalike domain is the choke point. Catching it at the click, before the login form renders, removes every downstream loss. SafeBrowz runs free across Chrome, Firefox, and Edge with X, Twitter, and X Premium in the 550+ brand database.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever. Premium at $14.99/year unlocks the AI deep scan layer.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

See pricing

Frequently asked questions

Does X ever email about subscription suspension or renewal?

X sends real transactional billing emails only from x.com and e.x.com sender domains. The safe path is to ignore the email body and check Settings, Premium inside the X app, which shows the real renewal date, payment method, and any failed charges without any link. Any email from a non-x.com domain claiming your subscription is suspended is impersonation, as is any email asking you to click a link to re-verify rather than directing you to manage the subscription inside the app.

The DM came from an account with a blue checkmark. Doesn't that prove it is real X support?

No. The blue check on X is the X Premium subscription badge introduced in 2022. Any account paying the $8 monthly fee gets one, with no identity verification of the underlying entity. Impersonators routinely buy Premium for the scam account. Tap the badge to see what kind of verification the account holds. Subscribed to Premium is not the same as officially verified as X support. Real X support handles are documented at help.x.com and the @Safety and @XSupport accounts; nothing else is X.

How much does real X Premium cost, and how is it managed?

X Premium has been advertised at around $8 per month on web, with higher in-app pricing on iOS and Android to cover App Store and Google Play fees. X also runs Premium+ and Basic tiers at different price points. The authoritative pricing and billing flow lives at help.x.com under the X Premium documentation and inside the X app at Settings, Premium. Real subscriptions are managed inside the app, never via a link in an email or DM.

I entered my password on a lookalike page but not the 2FA code. Am I safe?

Not yet. The attacker has your password and may already be attempting the 2FA step on real X. Change your X password immediately by typing x.com manually, enable authenticator-app 2FA, log out of every session under Settings, Security and account access, Apps and sessions, and change the password on every account where you reused it. Credential-stuffing tools will try the same password against email, bank, exchange, and cloud storage within hours of the breach.

I entered my card details on the lookalike billing page. What happens next?

Card data captured by phishing pages is usually charged within minutes for low-value test transactions to confirm the card is live, or sold on carding markets within hours. Call your card issuer immediately, report the transaction as fraud, request a new card, and ask the issuer to block the merchant ID. File at reportfraud.ftc.gov and FBI IC3 at ic3.gov with the lookalike URL, the captured amount, and timestamps. The chargeback window on Visa, Mastercard, and Amex is typically 60 to 120 days.

Can I rely on the address bar to spot the fake page?

The address bar is necessary but not sufficient. Mobile browsers truncate the URL and often hide the bar entirely after a tap. Punycode and Cyrillic homographs can make a lookalike read x.com while the resolved domain is something different. Subdomain laundering buries the real registrable domain behind a long prefix. The cleaner habit is to never click an X link from an email or DM at all, and instead type x.com or help.x.com manually when account management is needed.

How fast does X actually remove a verified badge if I do nothing?

X manages Premium subscription lifecycle through its standard billing system. If a real subscription fails to renew, the documented behaviour at help.x.com is a grace period during which X retries the charge, then the badge is removed if the subscription remains unpaid. The 24-hour removal urgency framing in scam emails is fabricated. There is no real 24-hour clock on real X billing failures, and the legitimate way to address one would be inside the X app at Settings, Premium.

Where should I report a confirmed X verification phishing attempt?

Report in four places. First, report the impersonator account or DM directly on X under Report, Impersonation. Second, submit the phishing URL to X through help.x.com. Third, file a complaint at the FBI IC3 (ic3.gov) and the FTC Consumer Sentinel at reportfraud.ftc.gov. Fourth, submit the lookalike domain to PhishTank and Google Safe Browsing so the URL feeds downstream blocklists used by browsers and email providers globally.

Related reading

Bottom line: The X verification scam works because X actually charges for verification now, and the legitimate billing emails X sends have created the cover story that the phishing emails imitate. Real X never DMs you about subscription status, never emails you from a non-x.com domain, and never asks for your password or 2FA code outside the login page at x.com. Manage your subscription inside the X app at Settings, Premium. Type help.x.com manually if you need support. Turn on authenticator-app 2FA or a hardware key. And add a browser-layer scanner like SafeBrowz so the lookalike page never gets a chance to render the login form in the first place.