Moderating Safely and Securely
Moderator: the title you give to people who have the responsibility of managing your chat and community. Answering the call to protect your community and its members at all costs, they are integral to any successful Discord server. But it’s important to remember that moderators have to be safe online, just like the users they fight to protect. The first step in doing this is to ensure your account safety is set by having a strong password and setting up backup login methods- all of which you can learn more about in this article that is going to be focusing on the importance of securing your Discord account.
In this article, we’ll explain how moderators can do their job safely and securely, cover how to handle links, scams, and possible doxxing attempts, and introduce some general best practices to keep you and your account safe.
Native Features to Fight Spam
Spam has historically been a problem that plagues all platforms online as it is a simple way to troll as well as easy to change and adapt to suit the spammer’s needs. Discord has begun to implement progressive changes to how they detect spam on the platform, updating, tweaking, and fine-tuning their anti-spam systems daily to catch more and more spammers and spam content.
Firstly, we’ve implemented the Malicious Link Blocker, which is a system that warns a user similar to what you see with Chrome when visiting specific sites. It is meant to minimize exposure to spam content, but it’s important to remember that it doesn’t catch everything. Keep in mind, just because a link does not trigger the Malicious Link Blocker doesn’t mean that the link is safe! Always be careful when clicking links from unknown users that may seem suspicious.
What the Malicious Link Blocker looks like in action.
Discord also introduced another anti-spam feature, which auto-detects and hides content from likely spammers in servers reducing outright spam. These messages will automatically be hidden by the Server Channel Spam Redaction system.
How to Handle Malicious Content
When you take on the title of community moderator, you become a front-facing member of your server. As a result, you have to be up-to-date on the newest methods on how to moderate safely and securely to not only keep you and your team safe but also to help educate your community. This includes knowing how to spot and handle malicious links, files, scams, and phishing attempts. It helps to also have knowledge in how to deal with threats to your community members and doxxing concerns.
Now we’ll explore how to safeguard against these types of risks.
Spotting Problematic Links and Files
As a moderator, you might come across malicious content shared in your server in the form of links and files. Malicious links and files come in all shapes and sizes. Some try to get ahold of your account credentials, such as login information or token while others try to have you download malware that can harm your computer.
If you do not recognize the domain, try doing a google search to find out more information about the link before clicking on it. Some links try to imitate real websites to trick the users into thinking it is safe to click on when, in fact, it is a malicious link. Be sure to double-check the spelling of common domains so that you aren’t tricked into thinking a link goes to YouTube instead of “YouTbue”, for example. A more subtle way you might encounter malicious links is through embedded messages from bots or webhooks. Unlike normal users, bots and webhooks can hyperlink text in a message. Be sure to double check where a link leads to when clicking on it.
For example, you can encounter an embedded message that looks like https://discord.com, but is hyperlinked to another site. The link in the previous message doesn’t actually go to the Discord Moderator Academy that is usually found at that domain, but is hyperlinked to another page. This is one way attackers can mask their malicious URLs.
Another thing to keep an eye out for when looking for malicious links is the usage of URL shorteners that might hide a malicious domain name. For example, using a URL Shortener website.
Although URL shorteners are a convenient way to make links more compact and easier to read, they also hide the final destination of the URL, which could be a malicious website. When dealing with these types of shortened URLs, you should first prioritize determining where it leads. You can use a URL expander such as URLScan or Redirect-Checker to do this. Once you have a better idea of what is on the other side of the URL, you can decide whether it is safe or not to visit the site and remove and/or report the message if need be.
As a rule of thumb, it is never a good idea to follow links sent by strangers! If you still are unsure about the destination of a link, you can use sites like VirusTotal to check for any potential malware or illicit content.
You should always exercise caution when downloading files from anyone on Discord, whether it’s from a stranger or someone you think you know. One of the most dangerous files is a “.exe” file. These files will execute some sort of function on your computer, leading to leaking information to the sender or having other serious consequences.
In some cases, downloading a malicious file won’t immediately affect your computer until the file or program is run or opened. This is important to keep in mind since downloading a file can cause a false sense of security to think it is safe since “nothing bad happened” until you run whatever you downloaded!
If you do decide to trust the download, take the extra precaution to run it through VirusTotal or similar websites to search for potential dangers. It’s also good to check your anti-malware software to scan these files. To be extra sure you don’t click anything illicit but want to run the message through one of these websites, right-click the message on Discord and choose “Copy Link” from the dropdown.
If you encounter misspelled links and other sketchy-looking links, it might be a good idea to add it to a text filter or to your moderation bots’ banlist. If you are sure that a link sent on your server is malicious or dangerous, be sure to remove that user from your server so they cannot privately try to spread these links to other users, and make sure to report it to Discord using the online form.
Recognizing Scamming and Phishing Attempts
Scammers use many different techniques to trick you into giving them your personal information. They may try to steal your Discord login credentials, user token, or private information through carefully crafted scam attempts, thus giving them access to your account for problematic purposes.
Phishing is when a scammer convinces you to do anything that provides them access to your device, accounts, or personal information. They can more easily infect you with malware or steal your personal information by impersonating people or an organization who need this information. An example of this is a scammer claiming to be a Discord Staff Member or claiming to be from official Discord programs such as Partners or HypeSquad Events. Some more ambitious scammers could also include someone claiming to be from local law enforcement.
It is important to know that Discord Staff will only ever communicate through accounts with a staff badge or through System DMs. We will never ask you for your password. A Discord System DM will look exactly like the photo above in your direct message inbox. Check out their Discord System Messages blog post for more information about how Discord sends direct messages.
These social engineering tactics "bait" you with a trusted looking icon or name to obtain your personal information. These schemes may persuade you to open an attachment, click on a link, complete a form, or respond with personal information to make it easier for them to steal your account.
Common Scams and Red Flags
Scams are constantly evolving and changing, but they do tend to follow similar patterns. Remember, Discord will never ask you for your password, even through official means of support, nor will we give away free Discord Nitro through bots. Some common scams on the platform that are combatted every day are as follows:
Prize Scams. If it’s too good to be true, it probably is. Scammers might try to get your information through empty promises of fake prizes. A common prize scam is random bots sending you a message that you’ve won a month of Discord Nitro. If these bots are not directly connected to a server giveaway you were a part of, this giveaway is likely fake and and the links they sent are malicious. Discord would never use a bot to send this information to you directly, and even verified bots can be hacked to share these malicious links.
Steam Scams. Has someone ever sent you a message apologizing for “accidentally reporting you” on Steam? This is yet another way scammers try to infiltrate your accounts. Referring to someone who can fix the issue along with a link that looks like Steam’s website, but in truth, is a phishing link. If you look closely, you can spot typos in their domain name such as “steamcomnmunity,” “sleamcommunity,” and many others.
Most companies usually handle support issues on their websites, so be on the lookout for anyone claiming to want to help you through Discord representing a company or a service. Regarding the above example, Steam will always use its platform to resolve relevant issues and never reach out through Discord to settle problems with your account.
Game Scams. Be aware of random users who message you asking if you want to test their new game. This is another attempt to compromise your account and unlock your private information through phishing. Requests from strangers or friends to try their game usually mean that their account has been compromised, and they are now attempting to gain access to yours. If you have other means of contacting this user off-platform, it is good to alert them to the fact that their account has been compromised to see if they can regain control of it or contact Discord Support about the issue.
Discord Recruitment Scams. Another type of scam is where external individuals or companies pretend to represent Discord and offer fictitious job opportunities. The scammer will try to impersonate a Discord employee either on Discord itself or via external sites. This is a serious security concern, so there is a whole page about this scam that you can read here: Discord Recruitment Scams. You can only apply to their jobs through their official careers website. All communication from Discord regarding hiring will come from discord.com or discordapp.com email addresses. They will not use the platform to recruit you.
Dealing with Threats & Doxxing Attempts
With the vast array of search tools and information readily available online, almost anyone can be a doxxing victim. If you have ever posted in an online forum, signed an online petition, or purchased a property, your information is publicly available. Through public records, databases, and other repositories, large amounts of data are readily available to anyone who searches for it.
Cybercriminals and trolls can be incredibly inventive in how they doxx you. They might start with a single clue and follow it until your online persona is progressively unraveled and your identity is revealed. You must be hyper-aware of what personal information you share online and be cautious when divulging information about yourself.
If private information about you is revealed online through Google searches and you happen to live in the EU or Argentina, you have the right to be forgotten. Similar rights are given to people in the United States, although not to the same extent. We generally encourage you to check resources such as HaveIBeenPwned to see whether or not your data has been a part of any big leaks.
If you want content about you to be removed from Google, refer to this Google Troubleshooter. Sharing these resources or posting them within your Discord server can prove to be a valuable asset to your members, forestalling possible doxxing attempts or threats. Another great resource is the COACH tool which helps you lock down your identity by portioning the basics of online security into bite-sized, interactive, easy-to-follow guides.
If you are concerned you are at a high risk of being doxxed, you can consider setting up Google Alerts to monitor possible doxxing attempts. If sensitive or private information has been leaked online, you can submit requests to have that content removed by using the following guides: Removing Content From Google or Remove Your Personal Information From Google.
Best Practices of Cybersecurity on Discord
Keeping your Discord login credentials and account token safe and secure is vitally important to ensure your own account safety when moderating an online community. Even with proactive measures such as 2-Factor-Authentication (2FA) in place, scammers can still get access to your account with your account token, so evading common phishing attempts and utilizing the vast amount of resources available to spot scams becomes increasingly important for moderators. Discord released an article about keeping your account safe and sound with 2FA, which is an excellent resource to read or refer to.
Ensuring that server permissions are set up correctly is also essential to combat illicit links and other variations of phishing and scamming attempts. It is important to double-check your permissions when making new categories or channels inside your server, as moderators discuss sensitive and private information inside locked moderation channels. If you need a refresher on how permissions work, check out this article here.
Bots are potent tools that moderators and community builders use daily to help moderate and spark community interest via events and games. However, bot accounts differ slightly from a regular user account, meaning that bot accounts are capable of performing actions much faster than a regular user and allowed to obtain the message and user data from your server quickly.
Knowing what permissions bots and bot roles are given is essential to developing a safe community, helping ensure the safety of all its members and its moderators. A malicious bot can wreak havoc within servers very quickly by mass-deleting categories, exposing private channels, sending scam messages, and abusing webhooks. We heavily recommend researching any bot before adding it to your server.
When reporting content to Discord, you might hesitate and think to yourself, is this worth reporting? Please know that all reports made in good faith are worth reporting to Discord. Moderating on Discord is an integral part of the platform. User safety is the number one priority for Discord, especially moderators, as they help keep your community safe.
There are a lot of resources to draw from to ensure you moderate safely and securely. Practice good cybersecurity by having good antivirus and malware detection programs and strong passwords. Differentiate between your “real” self and online persona to minimize doxxing opportunities. Check suspicious links and websites through online tools to make sure they aren’t malicious. If you or one of your community members are doxxed online, there are proactive and reactive measures that can be taken to ensure your account security. Figure out what sort of content was leaked, report it to Discord’s Trust & Safety teams, and submit relevant removal requests such as Google’s removal tools.
We hope these tips help you in your moderator journey!