Most everyone on discord has seen this message, or a similar one, desperately warning everyone of a devious hacker who can destroy your account, all your friends' accounts, and all your servers with a mere friend request. Terrifying stuff, especially if you, like me, spend hours a day fulfilling most of your social needs over Discord.
Luckily, this kind of attack is completely impossible! This is a very old copypasta, which has been going around on other sites for decades and was adapted for discord by someone who finds it amusing to scare people with limited expertise in computer science.
But there's no denying that accounts do get hacked. Scams and spam go around all the time. So how do they work, and how can you possibly protect yourself from nefarious hackers aiming at your discord account?
That's what I aim to help with here! I'll be going over all the Discord scams I'm familiar with, how to protect yourself from them, and sometimes how you can change your habits to keep your friends safe too.
Want to share a specific section with someone else? Right-click on the link to that section and click "Copy Link". Then you can simply paste the link that goes directly to the section you want.
Everyone likes video games! Even better if you get to be one of the first beta testers of a new multiplayer game that sounds SO COOL.
The goal of this scam is to take over your Discord account, and possibly install keyloggers or other malware on your computer.
Typically the scam will be run by a person using an account that has already been hacked. They will often express that they'd like to become friends, but if you have a previous message history with the person who owned the account, they may roleplay as someone you already know!
The hacker, posing as the original owner of the account, will take one of two approaches: either they'll ask you to beta test a game they're making, or they'll ask you to play a cool new multiplayer game with them. Whichever method they go for, they'll send you a link to download the game.
The website will be slick and describe a number of cool features. However, there will often be some subtle grammatical mistakes. There is usually a section describing why you should play, and it will usually mention an enticing bug bounty and/or a free key to get the full game once it realeases for all beta players.
Naturally, that kind of deal really is too good to be true.
If you catch on and express to your presumed friend that something feels off, they'll reassure you that it's totally safe. You can scan everything with your antivirus, after all.
The download link will download a seemingly ordinary zip file. If you scan it with your antivirus, it will indeed come back clean. You will have to enter a password to unzip it, which your friend will happily provide. If you express suspicion, they'll explain that it's normal for this kind of beta test so they can restrict access to the files, or come up with some other believable excuse. And then, when you unzip the file, you will discover too late that it was malware after all!
What gives? Is your antivirus defective? Well, as it turns out, this is the real reason the file is password-protected. A password wouldn't do any good if you could find out what was inside without it, so the file is encrypted. This means your antivirus can't see what's inside until after you enter the password and thus decrypt the file. And there's no getting around that; the encryption is really important for the types of files it was designed for. You don't want just anyone to be able to see sensitive information like birth certificates or embarrassing photos!
Don't download games from unfamiliar websites, especially if someone is DMing you the link when they've never mentioned this game to you before. And never unzip a file that requires a password unless you are 100% sure it's safe. Anyone can fall for a scam like this, and that means anyone can turn out to be the scammer in disguise, even your best friend! If you're not sure, you can always ask them to answer something that they would know, but that nobody else could find out by reading your message history.
The biggest thing you can do is to not fall for this scam yourself, and let your friends know about it if it looks like someone might be pulling it on them. But there are some good habits that might make it harder to trick your friends if someone does manage to hack your account. If you're the type of person to share links to cool games, you can stream yourself playing for a while when you send it, or even a day or two beforehand, rather than expecting people to click the link and download things right away. And if you're the type of person to share games you've made yourself, then on top of streaming, make sure you upload everything to trusted sources like itch.io so your friends can get your game there.
If you have your Discord username linked on your Steam page, you may sometimes get a mysterious friend request, followed by a message like this one:
The goal of this scam is to get access to your Steam account details, payment information, or both.
Typically the scam will be run by one person with two accounts, although occasionally two people may work together.
The first account to message you will usually start with awkward greetings, like any person who needs to message a stranger for the first time. Once you respond to them, they'll send a message like the one in the image above, asking if you're the owner of your Steam account. Once you confirm that you are, they will inform you that someone has been impersonating you while they scam people! How terrible! The person will go on to say that this impersonator scammed them, either in a game or in the Steam marketplace, and that they accidentally reported you to Steam instead of the scammer, and had all their friends dogpile you with reports too. Sometimes this story will be swapped for some other nefarious action you've been mistakenly reported for.
They will apologetically tell you that they contacted Steam support right away to try to correct their mistake, but that the Steam administrator they've been talking to just hasn't been willing to listen and needs to talk to you too in order to get everything sorted out. Sometimes, they'll have a fairly well-photoshopped screenshot of the official correspondence from the Steam administrator.
They will go on to give you the contact info for the administrator so that you can reach out and prevent your account from being banned. This will almost always be another discord account, sometimes paired with the option to message them on Steam or some other site instead.
Once you reach out to this second account, they will pose as the Steam staffer threatening to ban or otherwise restrict your account. The methodology varies, but they will often have you suffer through a long, stressful voice call, and they will nearly always give you a frighteningly short deadline to take the action they want, such as providing your login information or making a large payment.
Of course, the truth is, the person you're talking to is just a scammer and has no power to do anything at all to your Steam or Discord account -- as long as you haven't given them any of your passwords.
Luckily, this scam is easy to recognize long before it causes any problems for you. If your Steam account was actually facing corrective action, you would get an email from Steam! Real Steam staff will never try to resolve a real account issue over Discord, and they will always contact you directly over email rather than getting some poor mistaken reporter to put you in contact with them. You can safely stop talking to a scammer as soon as they ask whether you're the owner of your Steam account, but if you think theres some chance someone is asking for a legitimate reason, the false report sob story is a dead giveaway. Just ignore them!
There's not a lot you can do to preemptively prevent people from falling for this scam. It's pretty similar to the calls your Grandma gets from scammers pretending to be the IRS; if someone mentions that they've been falsely reported on Steam and the Discord support is stressing them out, make sure to tell them it's a scam!
If you have the chance, it's always a good idea to report these scammers to Discord Trust & Safety. There will always be more scam accounts, but you might as well help get rid of the ones they're using right now!