February 3, 2022

Protecting Against Scams on Discord

So you’re about to click the link to join that server and grab that sweet, new drop. But you notice something’s not right. The link looks right but something seems…off. You notice their speaking patterns aren’t the most human. They claim you did things you know you have never done. They seem in a rush and are warning you that you gotta get in on what they’re offering fast or you’ll lose out. They never posted in any of your mutual servers, or don’t even share mutual servers with you, but they want to speak to YOU.

You might have heard about scams like this happening on Discord recently. Or it might have even happened to you. You're not alone, and it’s not just Discord—the FTC says online scams surged in 2021. Our mission has always been to make Discord the best place on the internet for people to find belonging and we’re amazed to see all the different interests that have brought communities together, from study sessions to NFT drops, and even houseplant care. But we’ve also seen some unfriendly characters try to exploit those communities.

So we want to share some of the additional measures we’re taking on our end and go over ways you can protect yourself and others on Discord. You may already know some of these tips and tricks, but a refresher never hurts.  

This is in no way an exhaustive list. It’s an unfortunate reality that bad actors online will change and evolve their tactics, but so can you. We encourage you to check in with your existing internet safety skills and incorporate the following practices in your online habits if you haven’t done so already.

While we hope you take the time to read the finer details below, we also wanted to provide a TLDR; some cliff notes to keep in your back pocket:

For everyone:

  • Don’t click links from unknown senders or that look suspicious.
  • Don’t download programs or copy/paste code you don't recognize.
  • Don’t give your password to anyone!
  • Never share or screenshare your authorization token. Seriously. Don't do it.
  • Don’t scan any QR codes from people you don’t know or those you can’t verify as legitimate.
  • Enable 2-Factor Authentication to keep your account as safe as possible. Check out our 2FA blog for more details on getting this set up.
  • Consider restricting who can DM with you. You can learn how to do this here.

For server owners and mods:

  • Audit your server Permissions, especially for higher-level tools like webhooks.
  • Keep your official server invites updated and visible across all your platforms when any changes are made, especially if the majority of your new server members come from communities outside of Discord.
  • Again, don’t click suspicious or unknown links! If your account gets compromised, it can have greater effects on communities you moderate.

We are always working behind the scenes to keep Discord safe, but we need your help too! Here are two safety checklists and another article listing common scams to brush up on your defenses—help us make these tips common knowledge for everyone!

Internet Safety Checklist

Internet Safety doesn’t have to be exhausting. Below are some simple but effective ways to make sure you’re on guard against any potential ne’er-do-wells in your DMs, and even outside of Discord.

Only Open Trusted Links from Those You Know

This may feel like a given, but a surprising amount of security issues stem from people clicking on links before checking if they’re the real deal. Always double-check a link you’re clicking — link shortening services can easily mask unsafe websites or programs. We recommend getting it checked against a resource like VirusTotal to see if someone has already flagged it as potentially dangerous.

In addition, Discord has its own systems in place to remove malicious links and we’re constantly evolving those systems.

Note the misspelling in the URL, "dliscordnltro.com."

Don’t Download Programs or Run Code You Don’t Recognize

It’s not advised to download and run software that doesn’t come from a reputable source. Downloading and running programs that someone sends you unprompted is almost always a bad idea.

If a person claiming to have “special access to features” or new software says they need you to run on your own computer, they’re misleading you in order to get your personal info with their shady programs. If it sounds too good to be true, it probably is.

Never Give Your Password to Anyone

There’s no reason to give it up, ever. Sharing your password not only gives away access to your account but also exposes any personal information you have tied to that account — and potentially any website where you use that password — making you vulnerable to more than just a single account takeover.

Discord Safety Checklist

The above tips can be applied anywhere on the internet! Next, we'll share some Discord-specific tips to ensure you can be vigilant against baddies targeting your account or community:

Decide Who Can and Can’t Send You DMs

Disabling DMs for a particular server is one of the best ways to prevent bad apples hiding inside larger communities from contacting you.

To adjust who can and can’t DM you, head into User Settings > Privacy & Safety, then scroll down to “Server Privacy Defaults.” From there, you’ll find the option to “Allow direct messages from server members.”

Feel free to adjust it as you wish, but do note that this new state only applies to servers joined after changing the toggle; it won’t retroactively affect your existing servers.

If you turn this option off, members of newly-joined servers can’t contact you via DM unless you’re friends with them beforehand. Receiving mail might be nice, but receiving suspicious messages from people you don’t know is less nice.

If you're in a server you trust and don’t mind being messaged by those in it, you can toggle the privacy setting on an individual basis. Head to that server on desktop or mobile and select its name to open the server's settings, and choose “Privacy Settings.” Once there, you’ll find the “Allow direct messages from server members" option. Turn that on, and you’re free to receive all sorts of DMs from everyone in that server, regardless of if you’re friends or not!

If you’ve joined a lot of communities, consider auditing the list and see if you’re comfortable with letting non-friends message you from that server, or if opening up is inviting unnecessary risk into your inbox.

Audit your Server’s Permissions

Understanding which permissions your mods and members have access to is key to keeping everyone within it safe. If you're a server owner, have you checked your permissions list lately? Who has what perms? Did you know they had that access and for how long?

If the answer to any of these questions was a resounding :shrug_emoji:, it’s time to do a review of your server setup to ensure that only those who really need powerful permissions have them.

Specifically, make sure that only moderators you trust have access to permissions that can change powerful server tools, including any bots or webhooks you might add to the server. Be vigilant for bots that are impersonating larger well-known bots.

In almost every case, any large and reputable moderation bot will never need admin permissions to work properly. Only give a bot the permissions required for the tasks you need and no more — look for a Verified checkmark on a well-known bot before adding it.

If you need a refresher on how permissions on Discord work, you can check out the Help Center article here. If you have a basic understanding of the permissions system and want a more comprehensive look at what they mean in a moderation sense, we also have this article from the Discord Moderation Academy.

Keep Invite Links Updated

If you update your server’s links, make sure that your community and potential newcomers are aware of the changes and update any social media pages where you shared them. If possible, delete references to old invite links and make it known that those links have been updated.

This is doubly-so for servers Partnered, Verified or Level 3-boosted servers that utilize a vanity URL: if your server loses or changes its custom invite link, nefarious communities may swoop in and claim your old one. If this happens before you update your public-facing invites, people trying to join your community may instead join a server that’s looking to cause trouble.  

In addition to updating existing links, consider implementing easy-to-follow community rules around invite sharing and encouraging members to always verify where a server invite leads and who it is coming from before clicking it.

Pro Tip: Try pasting one of those invites to a Discord message to preview where it leads to before opening it! (But of course, don’t make your invite testing look like a spam message by pasting a random invite in #general.)

Why Would Someone Want Access to My Account?

If someone gains control of your Discord account, they will have as much reign over your account as you do: They’ll have the ability to change your username, password, email tied to the account, and any other information associated with your account.

They’ll also be able to see any personal info associated with your account once they’re in it. While most consider “personal info” to be payment info or email, it can also contain your private conversations and messages in DMs and servers alike. If you can see it, they’ll be able to see it.

As if they were the new owner of any servers you own, they’ll be able to make any changes they want: from server layout to server permissions, to bots and webhooks to kicking everyone out of the server, you name it. If your account is the moderator of a server that a hacker is targeting, they might even use you as a stepping stone to cause further damage within the community, or even impersonate you to trick unsuspecting members.

Some users may also target Discord accounts that have unique profile badges that are no longer available, such as the Early Supporter or Early Verified Bot Developer badges. If you have one of these unique badges, you should be extra-vigilant with your account.

If your account is taken over and the hacker changes the password, there isn’t much you can immediately do to stop them. However, if you have 2-Factor Authentication enabled on your account, the hacker will also be required to provide a 2FA code to change your password. We strongly recommend enabling 2FA, and you can learn how in our 2FA blog post.

Reporting what happened to Discord can help you regain ownership of your account, which can be done here — let us help you!

Additional Reading: Common Scams

We’ve created an additional blog post describing the types of scams floating around on Discord, which you can check out to familiarize yourself with signs that you may be dealing with a hacker who needs to be blocked:

Common Scams and What to Look Out For

We recommend sharing it with larger communities that may benefit from this knowledge.

With these recommendations in your pocket, you’ll be better able to foil any potential digital threats. Just like with keeping your IRL-self healthy and whole, taking preventative measures can keep your virtual self safe and secure.

Stay safe out there!

Account Security
Server Safety
User Safety

Lorem Ipsum is simply