Discord is the informal home of gamers around the world, giving us a place to hang out with friends near and far as well as join public servers to meet new teammates. Whether you're constantly in voice chat or prefer to lurk, most of us have a Discord account.
And now, it's not just gamers that have taken an interest in Discord! Non-gamers have flocked to the service, which isn't surprising when you consider how useful Discord is – anyone can cultivate an online fanbase, keep up with recent events, and use all the platform's intuitive communication features without paying a penny.
So, now Discord is home to gamers, streamers, artists, fan clubs, and even cryptocurrency enthusiasts.
Unfortunately, when large groups of people with a common interest gather on any platform, it piques the interest of cybercriminals. Discord is no stranger to scams, however, and a recent spate of incidents has us wondering what we can do to deter these incidents – and prevent future ones. That's what I'll dig into in this post, and later on I'll dish out some Discord server security tips for members and owners alike!
What do Discord scams look like?
Like I said, Discord scams aren't a new thing for 2021 by any means. Shady characters have been rigging Discord bots to spam malicious links and beg for server invites for a long time. These cybercriminals prey on a user's curiosity; they'll get their bot to offer you something seriously tempting, like a free in-game item or even real-world currency. All the user has to do in return is add the bot to a server.
Obviously, it's a bad idea to take the bot up on any of its offers or requests. You won't actually receive that Fortnite skin or FFXIV mount, and the server you invite the bot into could be irrevocably damaged.
To see these patterns in action, you only have to turn back time to 2020 when a brace of scams hit the platform particularly rapidly. A bot, claiming to be an official Twitch bot, went out of its way to DM users and offer them a bunch of free Discord Nitro games if they invited it to the server. If someone invited the bot into their digital home-away-from-home, it'd run riot, DM'ing all the members of that server before deleting the channels. Nobody received any free games, either. Why? Well, because it was a scam… oh, and because Discord Nitro had been shut down the year before.
Discord itself was aware of the issue and claimed that it was 'working on long-term mitigations' to address the rising tide of bot spammers. One such change has already been implemented, in fact, and now you can click a bot's profile picture to see which servers you have in common – and therefore figure out which server the bot is messaging you from.
But bot scams haven't stopped, and they're arguably getting more sophisticated as Discord's communities continue to grow. This is all illustrated pretty clearly by the recent trouble in cryptocurrency servers.
A lot of us got really interested in stocks and cryptocurrencies in the last few months, and a lot of those conversations were happening on Discord in dedicated servers. It was plain to insiders and outsiders alike that there was, potentially, a lot of money to be made by investing in Bitcoin, Dogecoin, and Ethereum – and so enter the scammers, hoping to make a quick buck by targeting these exchanges.
The crypto scammers plainly took advantage of the high-intensity situation, and targeted members of cryptocurrency servers, pretending to represent legitimate trading platforms and offering free currency. The reasons for this oh-so-generous giveaway varied, but the scammers typically claimed to want to help new users get their slice of the Bitcoin pie, or said that they had to drop out of the market themselves and would rather their investments not go to waste.
Essentially, all of the scammers' victims were promised a Bitcoin payout.
And those promises seemed fairly legitimate. The wording was smooth, there was a smattering of emojis, and the Discord messages were all formatted thoughtfully. This is social engineering, and pretty common in phishing scams from elsewhere on the net – subtle techniques scammers employ to keep you from getting suspicious.
After all, if you're suspicious, you're not going to click the link in the message, and that's exactly what the scammer wants. The cryptocurrency scam messages contained a link that led to an incredibly authentic-looking site. It looked good, it looked real, with nice graphics and professional presentation. There were even report notes, technical support and two-factor authentication!
Folks would then need to go through the registration process, which meant making a crypto deposit at some point, or completing a Know Your Customer identity check and handing over identification in the form of a photo document, proof of address, and signature.
Sound fishy? It should, seeing as the scammers were after the victims' personal information as well as their cryptocurrency. These kinds of details fetch a decent price on the dark web – so it's likely that the scammers were putting together a database of information to sell off.
Once the victim had completed registration, they could finally get excited about claiming their prize payout… and ultimately receive nothing. The code included in the original Discord message would be accepted, no problem, and the cryptocoins would even appear in the victim's account, but they simply wouldn't be able to move them into their wallet.
The victim ends up with nothing, and the scammer gets away with some currency, some data, and a new string of users to contact via Discord.
Server security tips
So, what can we do to prevent these scams from happening? That's largely down to Discord, and I hope that the company continues to implement anti-spam measures, but that doesn't mean that there's nothing you or I can do to make our experiences on the platform more secure. I'll run through some of the ways you can keep your profile safe below, and explain how to configure your settings.
For server members
🕴Be wary of strangers
This one's an oldie but a goodie, and you should always be mindful about the information you choose to share online – avoid posting pictures of yourself, sharing personal details, or swapping files in a public server. And remember that if something seems too good to be true, then it usually is! DMs from out of the blue, from total strangers or bots, should be treated with caution, especially if they claim to have any affiliation with Discord or Twitch.
💻Avoid random links
Spam messages and bots will often try to tempt you to click on a link – which is why it's best to avoid clicking on them! You could be taken to a fake phishing website that'll swipe your information if you input it anywhere. If you're really curious, you can Google the link instead of clicking on it, and see whether it's legit.
Use two-factor authentication
Two-factor authentication is a simple and secure way of ensuring nobody else can access your accounts. It basically requires you to provide an additional form of identification on top of your regular password and email combo. This is usually a code texted to your phone – so unless a scammer also has that, for some reason, they won't be able to access your Discord account! Oh, and Discord actually lets you use Authy and Google Authenticator!
📱Adjust your scanning settings
Head into your settings and click 'Privacy & Safety', and the first thing you'll see is the 'Safe Direct Messaging' option. This allows you to adjust how often Discord scans your incoming messages – which could be especially handy if you're in a big public server with a lot of randoms. Setting yourself to 'Keep me safe' can prevent some junk messages, and will scan all images sent your way, though you can also select 'My friends are nice' if you'd rather forgo the scans on messages from pals.
💌Filter friend requests
This is an effective option that you can toggle right away if you'd rather not receive friend requests from total strangers! Pruning your friends list, and being mindful of who you add to it, is a great way to avoid unwanted spam. From the settings menu, click 'Privacy & Safety' and scroll down to 'Who can add you as a friend'. From there, simply toggle your preferences on or off.
✒️Determine who can message you
By default, you'll be able to receive DMs from server members, though there is an option to turn this off if you'd rather not be so easily contactable. Turning this option off is also a good idea if you're concerned about bots, because if one does happen to infiltrate a server you're in, it won't be able to DM you! In your settings, go to 'Privacy & Safety' and scroll down a little to 'Server privacy details'. You'll see the toggle there!
For server owners
✅Establish server rules
If you're going to own a server, you'll need to make sure that anybody who joins has easy access to your rules. Create a channel where you can lay them out in full, and tweak your instant invites so that they automatically direct newbies to that channel when they first join. You can do this by removing permissions to create an invite in any channels you don't want newcomers to land in. Doing this helps newcomers brush up on your code of conduct immediately, and can clear up things like bot policies, messages etiquette, and let them know who to DM for more info.
🔑Set your verification level
Go to your server, select 'Server settings' and then head into 'Moderation'. Here, you'll see the 'Verification level' option. These options essentially set some rules determining who can post in your server, and which conditions might have to be met, first. You can set up your server so that anyone (and any bot) can start chatting in the server without any sort of verification, or require users to have a verified email address. If you want to curb spamming and raids, consider setting your server verification level to Low or Medium!
👯♀️Assign server roles
Roles are really one of the best things about Discord – and not just because they give your members fun, colorful names! They can also help you determine which users can do what in your server, and establish a structure or hierarchy that any member can see at a glance. Head into your server settings and click 'Roles' to add new ones, and tweak the permissions for each. You'll be able to determine who can edit or delete channels, edit other roles, and kick members – and it's generally a good idea to entrust only a few folks with these powers, so that spammers and bots can't take advantage.
🔒Require two-factor authentication
If you're serious about server security, it might be worth insisting that all of your moderators and administrators have enabled 2FA before they can do things like delete messages or ban members. This prevents these powers from being abused by anyone who tries to compromise a mod's account, seeing as they'll be unable to log in and cause havoc. You can toggle this setting on or off by heading into your server settings and clicking 'Moderation'. Remember, however, that you'll need to have 2FA enabled on your own account to do this.
It's an unfortunate reality that not everybody on the internet has your best interests at heart – but hopefully I've given you some ideas on how to keep your servers secure and your Discord experience smooth and undisturbed by spammers, rigged bots, and generally annoying individuals. For any lingering questions, check out the FAQ below!