Can You Get Scammed on Discord?
An enticing invitation to access the exclusive features and perks of Discord Nitro can be hard to refuse — but most offers are beguiling. Discord scams tend to open the floodgates that lead to cryptocurrency or non-fungible token (NFT) theft.
In May 2022, hackers impersonated the NFT marketplace, OpenSea, and sequestered the company’s Discord server [*]. The hijackers advertised the chance to get a free NFT from an elusive new project, entreating users to connect their wallets.
Several members of the OpenSea Discord channel were blindsided by this scam. Once they connected their wallets, they inadvertently exposed their NFT accounts. Instead of receiving free NFTs, the victims had valuable NFTs stolen as the fraudsters procured $20,000 worth of digital assets. So, yes, the tendrils of Discord could entrap anyone.
How Do Discord Nitro Scams Work?
- Extra Nitro giveaways
- QR codes to redeem free Nitro
- Nitro phishing emails
- Non-system-tagged Nitro bots
- Discord-Steam scams
Despite Discord removing over 27.7 million spam accounts between April and June of 2022, the platform is still menaced by crypto scams [*]. While these scams target users of all ages, younger users are more likely to trust unfamiliar people online and be misled.
1. Extra Nitro giveaways
One of the most common Discord Nitro scams starts with a direct message (DM) from an unknown contact, which includes an offer to join the paid service.
The scammers claim to have an extra Discord Nitro account that they are willing to give away freely. All you have to do is follow an embedded link.
When you click on the link, you land on a spoofed website. It might look like a real Discord login page, but it’s a classic con that displays a duplicate site. Scammers welcome any personal information you enter here, such as your Discord login credentials or credit card numbers.
How to spot the scam:
- You get an unsolicited DM from a bot or an unofficial Discord account impersonating a real company.
- The message includes an offer for free Discord Nitro.
- The link to receive the offer does not resemble a trustworthy Discord domain. Any domain other than “discord.gift” is fake.
2. QR codes to redeem free Nitro
Another variation on the free Nitro scam includes a QR code instead of a link with the offer. Such QR codes may seem innocuous at first glance, but they can purloin personal information and propagate malware.
Fake QR codes most commonly front for phishing websites, illegitimate apps, and nebulous payment pages. If victims oblige, hackers may take over their Discord accounts or force fraudulent payments.
How to spot the scam:
- You’re offered a free Nitro subscription from an unknown user. The announcement (and QR code) for a genuine offer will always come through Discord's official system messages.
- If you were not supposed to access Discord but were redirected to a look-alike login page, this could be a scam. A legitimate Discord login page will have "discord.com" in the URL. If the URL is different, or if it is a shortened link, it could be a phishing attempt.
- You receive an email notification from Discord flagging a suspicious login attempt from a new device.
- Discord sent you in-app notifications when a new device tried to log in to your account. Navigating to a website that is not on Discord's list of authorized sites may also trigger a red flag.
- QR code scanners generally use checksum algorithms or digital signatures to verify the authenticity of a QR code. Microsoft Lens, for example, can scan QR codes to check whether the URL or other encoded information leads to a legitimate website.
💡 Related: Online Gaming Safety For Kids: What Parents Need To Know →
3. Nitro phishing emails
Both Discord Nitro and NFTs are highly sought-after within the Discord community. Needless to say, most Discord-related phishing emails peddle free Nitro subscriptions and NFTs.
How to spot the scam:
- You receive emails from an unusual sender address, with someone claiming to represent an NFT marketplace or buyer.
- The alleged NFT creator does not have a verified badge on Discord. Malicious creators also tout fake NFTs on personal servers over legitimate marketplaces.
- Discord does not send unsolicited emails about NFTs or other virtual goods. Any such emails should be treated as potential phishing attempts.
4. Non-system-tagged Nitro bots
In July 2022, popular Twitch streamer Mizkif disclosed that his Discord server had been hacked. Scammers took over a powerful administrator profile, created a bot, and began spamming Mizkif’s online community of 55,000 people with offers of free upgrades to Nitro [*].
While Mizkif and his team reassured flustered server members, over 1,000 people clicked on the link from the bot — rendering their accounts vulnerable for takeover.
How to spot the scam:
- A popular server uncharacteristically becomes filled with bot messages that offer free Nitro.
- You may receive multiple DMs from a bot about securing free Nitro — however, Discord does not create giveaway bots that make this offer.
- The DM or public post on the server prompts you to click on a link. If you're curious about a bot, connect with the bot developer first before you engage.
5. Discord-Steam scams
The last of the most common Discord Nitro scams involves the video game digital distribution service, Steam. Scammers send messages to Discord users explaining that they can access new features through Nitro if they link their Discord and Steam accounts.
In another variation, these unsolicited messages may also claim that Steam is giving away three free months of Nitro.
If you click on the call to action in the message, a Steam pop-up ad appears. When you enter your Steam credentials, an error message then prevents you from going any farther.
But behind the scenes of these Steam scams, you will have given scammers everything they need to steal your Steam account.
How to spot the scam:
- A quick Google search may confirm that there aren’t any such Discord-Steam partnerships that offer free Nitro.
- The offer’s URL does not resemble any official Discord domains. Hover above the link to see if the URL ends in “discord.com” or if it’s a suspicious-looking website domain that is similar to 1nitro.club, appnitro-discord.com, or steam-nitro.online.
- Clicking on the phishing link leads to a browser-in-browser attack. Scammers orchestrate this by simulating a web browser window within a web browser.
Other Types of Scams on Discord
Discord Nitro scams aren’t the only threats on this platform. Here are six more schemes that fraudsters conduct on Discord.
- Unsolicited messages from accounts
- Attempts to steal your Discord token
- Phony NFT drops and crypto giveaways
- Discord staff impersonation
- Roblox-Discord scams
- Name-and-shame scams
1. Unsolicited messages from compromised accounts
Like Discord Nitro scams, many attempted cons start with an unsolicited message from another user. It could be a complete stranger, someone you haven’t chatted with in a while, or even a close friend. Scammers use hijacked accounts to try and trick their connections into clicking on malicious links.
How to spot the scam:
- Check to see if such messages are from unknown users who are new or unverified.
- Examine these DMs for poor spelling, grammar, punctuation, or unusual formatting.
- Also check to see if the link redirects to a shortened URL; these are often used to hide the actual destination of a link. Services like bit.ly, tinyurl.com, and others are commonly used to shorten URLs.
2. Attempts to steal your Discord token
Whenever you log in to Discord, the platform sends a user authentication token to your computer. You can use this token to log in, or to issue API requests that will retrieve information about the account.
Hackers try to steal these tokens by using ransomware that is impetuous on Discord servers. These ransomware programs could be tucked away in phishing links or downloadable files that masquerade as free games, cheat codes, or copyrighted software.
Unfettered access to moderator or verified accounts arm threat actors for follow-on fraud.
In November 2022, BleepingComputer warned readers about a new cyber threat targeting Discord users. Similar to previous malware attacks on Discord, the AxLocker ransomware can quickly encrypt files and steal Discord account tokens [*].
How to spot the scam:
- You may see public posts or receive DMs from unknown users offering access to copyrighted software, hacking tools, or game cheats. Sometimes, these messages may also be disguised as official security warnings or updates from Discord.
- You may get DMs or emails containing images that don’t load properly — nudging you to click.
- The AxLocker ransomware can lock you out of your Discord account. Any personal files and documents on your device will also be encrypted. Your compromised account may then be used to disseminate more malicious links to your Discord contacts.
📚 Related: 17 Types of Cyber Attacks Commonly Used By Hackers →
3. Phony NFT drops and crypto giveaways
If you want to buy, sell, or trade NFTs, you must first publish the digital assets on the blockchain. This process is known as minting and involves the use of webhooks — automated messages sent to your email address or phone number.
Scammers impersonate NFT artists, pretend to give away NFTs or crypto prizes, and use bogus webhooks to trick Discord users into sharing sensitive information, including cryptocurrency wallet details.
On April 1, 2022, Bored Ape Yacht Club warned users against minting anything from Discord because of compromised webhooks [*].
How to spot the scam:
- Someone asks you to promote their NFT. Typically, this will be a brand with which you’ve never had any prior interactions or encountered on social media.
- The person asks you to sign up on their website in exchange for a free NFT.
- After signing up, you’re sent a link that requests your wallet details. No legitimate giveaway scam will ever ask you for your private key or seed phrase.
4. Discord staff impersonation
Another common Discord scam is when a fraudster impersonates a Discord partner or representative, like a customer support team member. Under this guise, the fraudster can mislead you into sharing personally identifiable information (PII), such as your login credentials or credit card information.
How to spot the scam:
- Look for the Blurple tag that is present on all official communications from Discord. Official accounts will also display high levels of activity and have large numbers of followers.
- Official system messages block all chat input; the reply space is replaced with a unique banner.
- Scam messages offer tout entry to a Discord community initiative, like the HypeSquad.
5. Roblox-Discord scams
In November 2022, the YouTuber Kreekcraft exposed a group of Roblox hackers who stole over 100 million Robux from unwary Discord users [*].
Here, perpetrators create sock puppet accounts of high-value users and fake DM conversations that make it look like the victim is trying to scam people. The real scammer presents this doctored report to server moderators, who then ban the user.
At this point, the scammer contacts the victim and pretends to be a moderator who can lift the ban. The impersonator asks the victim to screen-share on Discord to prove their innocence, which exposes their Roblox login cookie and allows the scammer to hack the victim’s account.
How to spot the scam:
- You get banned from a server for inexplicable reasons or are accused of trying to scam other users.
- Someone claiming to be a moderator DMs you soon after you were banned, claiming they can unban you.
- The supposed moderator asks you to screen-share with them or share your Roblox authentication code or phone number.
6. Name-and-shame scams
In this phishing scam, hackers compromise a real account before sending messages to the user's contacts. As the messages appear to come from a trusted source, anyone who receives them may believe they are genuine communications.
All name-and-shame scams on Discord follow a similar script in which “the friend” accuses the victim of harassment or bullying. Scammers typically use the threat of public embarrassment or legal action to extort money or personal information from their victims.
How to spot the scam:
- The sender falsely accuses you of sharing illegal content or hacking or stealing personal information.
- The message contains an invitation to a server that purports to have exposed you. These server names tend to be provocative — such as "Discord Shaming" and "Hall of Shame."
- When you contact the sender through another medium, like WhatsApp or email, they most likely deny sending the message.
13 Steps To Protect Your Discord Account
A key factor leading to the rise of Discord scams is the lack of built-in parental controls on the platform.
With 22.2% of its user base between the ages of 16 and 24 — and potentially many younger gamers — parents and guardians have no way to manage or restrict the content children access on Discord.[*]
Without close adult supervision, younger users are at risk of falling for Discord scams. Here are 13 steps you and your children can take to keep your Discord account safe:
- Learn how to identify Discord system messages. Discord messages always have the "SYSTEM" badge in the member list, and you’ll see special text at the start of the DM informing you that it is an official message. Also, you can’t reply to system messages; there is a banner across the bottom of the message to block chat input.
- Log in using the official Discord website. This approach is safer than logging in via unsecured third-party sites using a Discord token.
- Enable two-factor authentication (2FA). 2FA makes it hard for hackers to compromise your account. Use apps like Authy or Google Authenticator, and add your phone number as a backup to receive 2FA codes.
- Use a strong password. Create unique, complex passwords for every online account. Aura includes a robust password manager with every plan to make it easy to manage and store all of your login credentials.
- Filter explicit content by using one of these settings:
- Keep me safe: Discord scans images and videos in all direct messages and automatically blocks explicit content.
- My friends are nice: Discord scans images and videos in all direct messages from users who aren’t your friends and automatically blocks explicit content.
- Do not scan: Discord won’t scan any direct messages that you receive, so everything comes through unfiltered.
- Toggle off Direct Message (DM) settings. You can block DMs from specific users on any server, including anyone who isn't on your friends list.
- Enable friend request settings. Choose one of three settings:
- Everyone: Anyone who knows your Discord tag can send you a friend request, even if they aren’t on a shared server with you.
- Friends of Friends: Users must share at least one mutual friend with you before they can send a friend request.
- Server Members: Any user on a shared server can send you a friend request.
- Do not click on suspicious links. It's best to avoid opening any links, apps, files, or QR codes that you receive from users whom you don't know and trust. If Discord or your computer warns you about any file or link, don't proceed.
- Protect your Discord credentials. Never share your passwords or seed phrases with anyone. It doesn’t matter if you think you’re talking to a Discord representative — genuine Discord staff members will never ask for your login credentials, wallet details, or token.
- Block malicious Discord users and servers. You can confirm a user’s identity by clicking on their name and checking their history on the server. Read through the messages to determine if it is a genuine human user. A lack of activity, or a barrage of messages with offers and links, indicate a scammer or malicious bot.
- Review and prune the servers you’ve joined. Staying connected to a range of old servers that you no longer access will leave your profile exposed to threat actors and spam bots. Prune servers regularly to reduce the risk of being targeted by Discord scams.
- Know how to respond in the event of an incident. To report an incident to Discord, provide the message link, any supporting screenshots, and related user IDs, message IDs, or server IDs. Access Discord’s Trust & Safety request center to submit your report. You can enter your email address, select a report type, and enter all three ID codes in the description field.
- Consider using a VPN. If you want your children to browse safely when gaming or messaging on Discord, it’s best to use a virtual private network (VPN). Aura has a built-in VPN with military-grade encryption to keep your online activities and private information hidden from hackers.
Safety Tips for Discord Server Owners: How To Reduce Discord Scams
Server owners create and enforce community rules, moderate content, and ensure server safety. If you (or your ward) is a server owner, consider these best practices.
Set clear rules for the server
Creating a pinned post — with clearly defined rules that every user must follow while on your server — is good practice.
You might deem specific topics unacceptable, such as politics, religion, or NSFW (not safe for work) content. As your server grows, don't hesitate to ban members who don’t abide by common server rules.
Set up member screening
With membership screening, all new members must read through your customized rules and confirm that they agree before joining your server. Adding this step to your onboarding makes it easy to reinforce your community mission and let every new member know how they are expected to conduct themselves on your server.
Review roles and permissions
You can assign three main roles on a Discord server:
- Administrators can change all server settings, create and delete channels, and manage members and messages.
- Moderators can mute, disconnect, and remove other members from the server. Their duty is to make chat and voice communications safe for all community members and manage or expel those users who make violations.
- Members are everyone else on the server. They can interact and chat with others on the server, provided they respect all server rules.
You can also create bots with administrative permissions to perform tasks such as banning members or pinging "@everyone" with an update.
Another permission-based role is the webhooks feature, which enables you to easily share content from third-party platforms like GitHub or DataDog.
Choose the right verification levels
With high verification levels, you can control who can send messages. Ultimately, this security measure helps protect your server from spammers and hackers.
Visit the Safety Setup section in your Server Settings to adjust the Verification levels:
- None: New members can start chatting immediately without restrictions.
- Low: Members must have a verified email on their Discord account to start chatting.
- Medium: Members must have a verified email, and their Discord account must be at least five minutes old before they can start chatting.
- High: Members must meet all previous requirements and wait at least 10 minutes after joining the server before they can start chatting.
- Highest: Members must include a verified phone number on their Discord account.
Turn on server-wide 2FA
Server-wide 2FA requires all moderators and administrators on your server to have 2FA enabled on their accounts. This requirement will protect your server from threat actors or attempted raiders who target your server.
As the server owner, you can enable the 2FA requirement for moderation in the Safety Setup section of your Server Settings (as long as you enable 2FA on your own account first).
Use the explicit content media filter
This setting automatically detects and deletes inappropriate images, videos, or uploads according to your custom choices.
Turning on this filter enables all server members to share content freely without you having to worry about explicit content being posted on public channels.
Keep server invite links up to date
Spam bots target users with invites to fake Discord servers. You should delete older invite links and create new ones periodically so that bots will have a harder time imitating your server’s links.
Don’t Fall for the Dark Side of Discord
Online scams are not a novelty, but fraudsters now have decentralized platforms in their crosshairs. Young children and teenagers with valuable digital assets are easy targets, and the anonymity and unregulated nature of blockchain-enabled platforms provide the perfect cover for scams.
To protect your online accounts and keep your children safe from Discord scams, consider signing up for Aura. Aura offers:
- Parental controls to filter content and limit screen time. Aura helps you manage what your kids can do online and monitor how they use apps.
- Antivirus software and a virtual private network (VPN) that allows your entire family to browse, connect, game, and share content online safely.
- A password manager that enables you to create and store unique, complex passwords for every online account.
- Family identity theft protection. Aura monitors your family members’ sensitive information to see if it has been leaked online. You’ll get alerts in near real-time if anyone is trying to ruin your child's credit or steal their identity.