Discord Safety
This is in no way an exhaustive list. It’s an unfortunate reality that bad actors online will change and evolve their tactics, but so can you. We encourage you to check in with your existing internet safety skills and incorporate the following practices in your online habits if you haven’t done so already.
For everyone:
- Don’t click links from unknown senders or that look suspicious.
- Don’t download programs or copy/paste code you don't recognize.
- Don’t give your password to anyone!
- Never share or screenshare your authorization token. Seriously. Don't do it.
- Don’t scan any QR codes from people you don’t know or those you can’t verify as legitimate.
- Enable 2-Factor Authentication to keep your account as safe as possible. Check out our 2FA blog for more details on getting this set up.
- Consider restricting who can DM with you. You can learn how to do this here.
Common Scams
I was invited to join a program! Is this real?
Short answer: No, it's a phishing scam.
Long answer: If you receive a direct message where someone says you've won something or that you have a limited time to claim something or to join a project / program, they are likely scammers. Discord will only contact you through the e-mail you have linked to your account, using system messages or using in-app notifications such as deals/announcements appearing at the top of your client in a colored bar.
How do I know if a message is legit?
Discord's in-app messages will always include a System tag right next to the name and you cannot reply to their messages
Someone's claiming to be working for Discord, how can I tell if it's real?
Employees will have a Discord Staff badge on their profile. They will never reach out to you in DMs to ask for your account information or tell you to change your account info for verification purposes.
Fake Games, Programs, Videos or Downloads
In this situation, a user pretending to be your friend, or using a friend’s compromised account, reaches out asking you to check out their video, test a game they made, or practice running code they wrote. No matter the backstory, they’ll always ask you to download a program or click a link they provide, resulting in a malicious program entering your computer and/or compromising your account.
Another variation of this scheme involves a user asking you to “test” something for them, directing you to open the developer tools on your internet browser while logged into the web app. They’ll then ask you to show them your token — do not do this. With your token, malicious users can sign in and take over your account.
Discord will never ask you for your token, and you should never have any reason to open Discord’s Developer Console in the first place. Note that this is only applicable to Discord on your internet browser, and not the desktop or mobile application.
Fake Giveaways/NFT Drops
This is similar to the previous scheme in that usually it is, again, a trusted individual that DMs you. Sometimes it's in the form of a well-known bot or under the facade that they are an administrator for a server that you're active in. It may involve very genuine-looking links to websites as well. Like we said, if it's too good to be true, it likely is.
Discord Impersonation for Partner/Verified/HypeSquad
Discord impersonation involves a hacker pretends to be messaging you from an “official Discord account” and offer entry to one of our community initiatives, such as the HypeSquad or Partner programs.
This is nearly always fake. Below are two screenshots, both of which present themselves as official Discord-sent messages. However, of these two conversations, only the right screenshot is actually from Discord.
On the right, you can note the blurple “System” tag next to the sender’s name, as well as the Reply space being replaced with a unique banner that only official system messages come with.
The DM on the left does its best to be convincing though. It even sends an invite link to a real Discord-run server called Discord Testers and a somewhat-real-looking link to the supposed Discord Hypesquad form. Scammers will use a technique of mixing real Discord invite links (to public Discord servers usually) with their malicious links in order to portray legitimacy and lull you into a false sense of security.
If you suss out that a DM is a fake, report it as Spam using the red “Report Spam” button at the top of the DM.
This feature is one of many improvements that we’re working on to help identify and remove bad actors as soon as we’re aware of them.
Someone DM'd me that I won Nitro and it looks like the real thing!
Discord Nitro & Classic have special embeds where the option to claim Nitro is part of the embed and not a button below an image. When you click/tap on any part of the embed, you are redirected to the Nitro tab in your User Settings. For Desktop, the embed also changes its size when you resize your Discord and you can hover over the embed to see it react to your mouse movement.
I joined a server where they ask us to verify using a QR code, what should I do?
Never approve a QR code login that you didn't generate yourself! If you've been sent a QR code by someone else that opened the login verification screen, hit cancel right away. If you approve a login that wasn't yours by mistake, you can change your Discord password to log out all devices at once, including those you don't personally approve of. Most importantly, don't forget that any QR code login attempt needs to be approved before it goes through. Keep an eye out for that verification screen and never verify or approve a login that you didn't ask for.