Account harvesters rely on social engineering to get you to give them your ID and password. By making it seem that a contact is sending you the message it gives you a false sense of security. You're far more likely to sign in to a site your 'friend' has recommended.
When you get a random tweet in your public timeline with just a link on it, from someone you don't know, then it's easy to spot. When you receive a tweet or Direct message from someone you know it's less easy to spot. Here's a few things to think about:
- Is it 'out of character'?
- Would they normally use the public timeline and not Direct Message?
- Is the spelling OK?
- Have you seen any 'chatter' on Twitter about DM spam?
If you've clicked on a link and are asked to 'sign in to twitter to see this page' (or similar) think carefully before you do. Check the web address: is it really an official twitter site? Chances are it's a disguised web address to try and fool you into parting with your log on details.
Sometimes, smartphones do take you to the twitter.com site rather than open the page in the app you're using - this is a rare occurrence and, in general, you're safer not logging in.
If you're in any doubt, tweet the person back and confirm whether or not it's really from them.
So, the worst happens and your account starts spewing spam, now what?
Change your password.
It's also a really good idea to go into the settings page on your Twitter account and revoke access as well.