A variant of a popular piece of social media fraud has made its way onto Discord servers.
Multiple people are reporting messages of an "Is this you" nature, tied to a specific Discord channel.
The message reads as follows:
heyy ummm idk what happened of its really you but it was your name and the same avatar and you sent a girl erm **** stuff like what the ****? [url] check #shame and youll see. anyways until you explain what happened im blocking you. sorry if this is a misunderstanding but i do not wanna take risks with having creeps on my friendslist.
The server is called Shame | Exposing | Packing | Arguments.
Visitors to the channel are asked to log in via a QR code, and users of Discord are reporting losing access to their account after taking this step. Worse still, their now compromised account begins sending the same spam message to their own contacts.
Discord itself warned users over two years ago to only scan QR codes taken directly from their browser, and to not use codes sent by other users. Unfortunately this has been a concern for unwary Discord users for some time now.
Tips to keep your Discord account secure
- Enable two-factor authentication (2FA). While you're doing this, download your backup codes too. Should you land on a regular phishing page and hand over login details, the attacker will still need your 2FA code to do anything with your account. Note: Some phishers are now stealing 2FA codes too, so this isn't foolproof, but it is a good security step to have anyway.
- Turn on server wide 2FA for channel admins. This means that only admins with 2FA enabled will be able to make use of their available admin powers. This should hopefully keep the channels you're in that little bit more secure.
- Use Privacy and Safety settings. Tick the "Keep me safe" box under "Safe direct messaging". This means all direct messages will be scanned for age restricted content. You can also toggle "Allow direct messages from server members" to restrict individuals who aren't on your friends list.
- Make use of the block and friend request features. You can tell Discord who, exactly, is able to send you a friend request. Choose from "Everyone", "Friends of friends", and "Server members".
- Report hacked and suspicious accounts. Pretty much every option you can think of is available in the Trust & Safety section for reporting rogue accounts and bad behaviour. Individual messages can be reported, and you can see how bad actors are prevented from scraping your user data for nefarious purposes. Finally, a form exists for you to report specific bots sending harmful links.