In theory at least, you could be more sinister with this, for example if you used say a ll0ydsbank or 02 account in conjunction with this to issue an urgent message to users asking them to reset their security details etc. Given that would still be possible if the user was redirected to the real url for that tweet, I think it would be better (and fairly easy?) for Twitter to give a 404 if the name in the url didn't match the account the tweet was sent from?