Phishing on Discord
Phishing attacks on Discord harvest login credentials, Nitro gift codes, or wallet keys through malicious links sent via DMs, compromised servers, or bots impersonating Discord's own notifications.
Part of: Phishing
Last reviewed: 1 June 2026
Discord is a high-value phishing target because a single compromised account can be used to attack all of that account's friends and server contacts at once. Phishers use every available surface — DMs, server channels, fake bot notifications, and even QR code login abuse — to steal credentials.
The platform's QR login feature is particularly exploited: victims are shown what appears to be a Steam or Discord verification QR code, but scanning it grants the attacker full account access instantly.
How this scam works on Discord
A common Discord phishing vector is the fake Nitro gift: a bot or compromised account DMs a user with a link claiming to offer free Nitro. The link leads to a convincing Discord login page on a typosquat domain. Entered credentials are captured and the account is taken over within seconds.
QR code phishing operates similarly — the attacker sends a 'verification' QR that, when scanned with the Discord mobile app's QR login tool, authenticates the attacker's session on their device. The victim sees their account acting strangely but may not immediately understand why.
Server-based phishing posts often appear as announcements from bots mimicking Discord's safety or support team, directing users to 'verify' their account on a fake portal to avoid suspension.
Common red flags
- Unexpected Nitro gift DM from a friend or bot asking you to log in to claim it
- QR code in a DM described as 'verification' or 'age check'
- Message from a 'Discord Safety' bot directing you to an external login page
- Login page URL that is not exactly discord.com
- DM from a friend whose account has been acting unusually
- Server announcement requesting account re-verification through an external link
How to protect yourself
- Enable two-factor authentication on your Discord account immediately
- Never scan a QR code sent via Discord DM — the QR login feature should only be used when you initiate the login yourself
- Check URLs character-by-character before entering credentials: phishers use domains like 'dlscord.com' or 'discord-gift.com'
- Treat all unsolicited Nitro gift links as suspicious regardless of who sent them
- If your account is compromised, change your password and revoke all authorised apps immediately from account settings
How to report it
- Report phishing accounts and messages via Discord's in-app report function
- Report phishing domains to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish
- Contact Discord Trust and Safety at dis.gd/report if the attack is ongoing or large-scale
Frequently asked questions
My friend sent me a suspicious link — does that mean they were hacked?
Very likely yes. Phishers immediately use compromised accounts to DM the victim's friends list. Warn your friend through another channel and encourage them to secure their account.