Discord Scams & Protection

Fake login screens, QR codes, 2FA... There's a lot going on with social engineering on Discord. We'll help you identify these scams to keep yourself & others safe in this actively updated article!

Discord Scams & Protection

There's been a plethora of scamming/social engineering attacks that have plagued Discord over the past few years. This post will cover the most common scams and be constantly updated with new attacks as they occur. You should still read Discord's article on scams. All of the QR codes in this article link back to this article. You can navigate to a specific attack with the links (which you can right click & copy to share) below:

Best practices & advice

  • Never click a link you don't trust. If you visit a site, be sure to check SSL credentials & the domain name. Discord's official domains are: Discord.com, Discordapp.com, Discordapp.net, Discord.gg, Dis.gd, Discord.gift, Discord.store.
  • NEVER scan QR codes with your mobile app outside of the Discord login screen. As above, ensure the login screen is from the legitimate Discord.com site before scanning anything. Discord will never ask you to scan a QR code inside of the Discord app.
  • Enable 2FA and download your backup codes. 2FA will help you keep your account more secure from traditional username/password social engineering attempts. Avoid using SMS 2FA as if you're a high value target, this can be bypassed with enough effort.
  • Never download or run files you don't trust. Even opening a .zip archive can be dangerous. If someone sends you a file on Discord, always scan it with an anti-virus before doing anything with it. We recommend MalwareBytes as it has signatures for Discord-specific malware. Viruses can hide in .zip files, PDFs, EXEs, documents... Always scan files you've downloaded. (There are currently no known malicious exploits for common image formats like PNGs or JPEGs, more about that below).
  • Don't add random bots to your server. Only ever add reputable bots. There's a list of reputable moderation bots in this DMA article, though this doesn't encompass every reputable bot on Discord. Additionally don't authenticate with bots you don't completely trust. Your data could be misused, with prolific cases of this even including MEE6.
  • Use an anti-raid bot to catch botted users joining your server to scam your members. You can find recommendations in this article.
  • Discord will NEVER contact you via a DM through a bot or user account. You will only ever receive messages from Discord via system messages.
  • Just because someone is your friend, doesn't mean they're immune from scamming you. If you get a strange DM, or any DM like those listed below, from a friend; odds are they're compromised and propagating a scam.
  • There is no free nitro. There is no get rich quick crypto. You are not being exposed. You have not been invited to Discord's new programme.

You've been exposed

This scam plays on the recipient's insecurity that they've done something wrong/there are allegations about them. Upon joining they'll be met with a fake login scam or fake QR bot attack that will compromise their account, using it to further propagate these messages. If you ever recieve a random message purporting to expose you for something, do not join any servers.

Join this server

This scam is a precursor to the one above and also uses the fake QR bot attack in most cases. There has been an uptick in this scam using generic or NSFW server names to attempt to attract joiners. If a bot or user DMs you a random server link, question them & don't join. Alternately, they may have join DMs configured with a legitimate bot that will direct you to a fake login screen.

Discord mod/hypesquad/dev programme

This attack impersonates Discord, purporting to be a message from Discord about one of the various community programmes ran by Discord. In-the-wild examples include the Discord Moderator programmes, Hypesquad & fake beta test programmes. These impersonation attempts will usually link to an official Discord community for some authenticity, and contain a link to a malicious domain that impersonates Discord. Discord are actively trying to combat this with their link filters, but unfortuately these attacks often change domains faster than Discord can react to. There is a public bot that can detect these phishing accounts and ban them from your server, feel free to grab it here. Discord will only ever contact you through system messages on-platform.

Try my game

This attack centers around a user messaging you asking you to play/test a game. These games can be direct downloads or links to an itch.io or similar site. On downloading the game will appear to be normal or not work, but the game actually steals your Discord token and hijacks your account. These attacks are generally manual with a person on the other end socially engineering you, which can make this scam easier to fall for.

You've won crypto/nitro

This scam is quite an old one and has seen many iterations over the years. Generally this scam consists of a botted user DMing you to tell you that you've won something. The gift link will take you to a fake login page attack or there will be an invite link that contains a QR bot attack. There is no free nitro. Always keep track of what giveaways you've entered and NEVER ACCEPT RANDOM CRYPTO ASSETS OR GIVE OUT YOUR WALLET DETAILS.

Discord QR code attack

This attack consists of a message, usually from a fake verification bot, asking you to scan a QR code with your Discord mobile app. NEVER SCAN A QR CODE WITH THE DISCORD APP OUTSIDE OF THE LOGIN SCREEN. Discord will never ask you to scan a QR code inside of the app, in a message, via a bot. Additionally, Discord will never ask you to scan a QR code to claim nitro. The QR code is scraped from Discord's login system, and will allow an attacker to hijack your account.

Fake Discord login attack

This scam compromises accounts and is usually pointed to by social engineering attempts. It's a deceptive site that copies the Discord login screen nearly 1:1 and attempts to phish your login credentials from you. Always check the domain on links you click, never put your login credentials into a site somebody links you randomly. If you're unsure about a login screen, go to Discord.com and see if you're already logged in. If you are, the login screen is likely fake. The list of official Discord domains are:

  • Discord.com
  • Discordapp.com

Discord will only ever prompt a login on these domains.

Discord team invite attack

This scam is rather old at this point, and Discord have introduced measures against it, but compromised friends may still be able to employ this attack. This attack uses Discord's team system to send a message impersonating Discord over email. Discord will never contact you in this way to warn you. You will recieve a system DM or an email in the format in the bottom image. Accepting the invite will allow further steps leading to an application to performing actions on your account on your behalf.

Further reading for server owners/admins

Social engineering is a scary reality for server owners & admins. While you should follow the best practices listed above, there are some additional attack vectors & security considerations for those responsible for a community.

  • Security of least privilege. Only give Discord perms to those who explicitly need them at that time. The adminstrator permission is very dangerous to hand out and should be avoided wherever possible. The best way to think of this is, your mods should only have the perms they need to do their jobs, and admins should only have perms they need to do routine work. If your admins aren't making new channels daily, they don't need manage channels all of the time. A compromised admin is one of the biggest threats to your server.
  • Don't kneecap your moderation team. With the above in consideration, you still shouldn't deny your moderators the basic permissions they need to handle raids. Bots are not a solution here. Even very reliable bots can suffer from API issues. Bots like Wick are especially problematic if misconfigured as they can punish your moderation team for responding to time critical moderation.
  • Teach your moderation team about social engineering. Via this article or otherwise, you should strive to keep your moderation team up to date at all times.
  • Turn on the 2FA moderation requirement. This is a requirement for enabling Community, but is also just a good practice.
  • Keep a backup communication method with your moderation team so they can warn you if their account is compromised. Slack, TeamSpeak, Telegram... there's lots of good options here.
  • Always double check claims from people purporting to be your staff members, using an alt as their main has been disabled. This is also a case where the above tip is handy.
  • Don't keep webhook links/secrets or bot tokens in plaintext in any channels. This is an incredibly easy way for a compromised member of your team to cause a lot of damage.
  • Don't invite your entire staff team to teams that manage any custom moderation bots that run on your community, if compromised they can misuse these to attack your community.
  • Avoid making temporary invites for your community. Use a vanity or permanant invites on all official channels for your community. Once temporary invites expire, people can set a vanity to that invite & impersonate your community.

Fake scams/attacks

Finally, there are some fake 'viruses' or attacks that are commonly shared around in a kind of chainmail. Below is a list of these fake scams and explainations of them.

Fake virus image

This fake virus consists of an image that has code within its metadata. Windows Defender and a few other anti-viruses will detect this as a rather old virus signature. This is a false positive, as the code can't do anything unless you change the image to an exe then run it. You can't get a virus just by loading an image in Discord.

Loading image scam

This is actually a subset of the fake login screen scam, but it consists of an image URL that responds differently to the Discord embed unfurler than it does to real users. The link/image, when followed to the source, will just link to a fake login screen. Again, the image alone cannot do anything to you and is not a virus.

So, what next?

Bad news, this isn't it. This list of scams will be kept updated to the best of our ability but there will always be new scams. Follow best practices. Be skeptical & cautious. Keep your account secure. Use proper passwords. Use 2FA. Stay safe.