You have heard of trend-jacking and brand-jacking techniques, but 2025 may be the year of musk-jacking!

Elon Musk’s fame has become the center of attention by fixated cybercriminals and fraudsters alike. Just this week, his social media firm X (ex-Twitter) has been under heavy attack, and an SMS phishing campaign riding on his visibility is being launched against ordinary consumers.

First, regarding the X outages: The firm had experienced three separate outages in different parts of the world, likely caused by distributed denial-of-service (DDoS) attacks. The first outage had occurred around 11 March (5.30am Eastern time) followed by another at 9:30am, and a third at 11:10am.

According to Jake Moore, Global Security Advisor, ESET, DDoS attacks are “that much more difficult to protect from when the landscape is completely unknown apart from having generic DDoS protection. However, even with such protection, each year threat actors become better equipped and use even more IP addresses such as home IoT devices to flood systems making it increasingly more difficult to protect from. All that can be done to future proof their networks is to continue to expect the unexpected and build even more robust DDoS protection layers.”

Musk has since suggested that the attack was highly coordinated, possibly involving a large group or a country.

Second, since January this year, scammers have been sending SMS messages that address each recipient by name, promising lower electricity bills if they purchase a fake device. Generally, the primary goal of the phishing messages is to persuade potential victims to activate a link in message that would collect their personal and financial information, or even lead to the download of malware. 

According to Bitdefender researchers, an additional scam involving Musk even has dodgy we advertisements featuring his likeness and his (fake) recommendations for the “electricity saving invention”.

Regardless of which high profile personality and his businesses are involved, or how formidable and state-sponsored the attackers are, the standard cybersecurity hygiene rules apply.

One of the many variants of fake ads for the worthless electrical device