Phishing on Reddit
Phishing attacks on Reddit harvest account credentials through fake login pages, malicious links in posts or DMs, and impersonation of Reddit admins or moderators requesting account verification.
Part of: Phishing
Last reviewed: 1 June 2026
Reddit accounts with karma history and subreddit memberships have real value to scammers — they can be used to post fraudulent content with built-in credibility or sold on secondary markets. This makes Reddit credentials a worthwhile phishing target.
Because Reddit users trust links shared by accounts in relevant communities, phishing links embedded in otherwise-helpful posts can receive significant clicks before removal.
How this scam works on Reddit
Phishers post links in subreddits claiming to lead to useful resources — research papers, streaming sites, tools, or exclusive content. The destination site either hosts drive-by malware or presents a fake login page designed to capture Reddit credentials.
Admin impersonation phishing arrives via DM from an account using an official-looking username and a Reddit-branded interface clone, warning that the user's account will be suspended unless they verify through a provided link.
Some campaigns compromise high-karma Reddit accounts and use them to post credible-seeming phishing content in established communities, bypassing spam filters that target new accounts.
Common red flags
- DM from a 'Reddit admin' or 'moderator' directing you to verify your account externally
- Post linking to an 'exclusive' resource that requires a Reddit or other login
- Login page URL that is not exactly reddit.com
- Account suspension warning arriving via DM rather than through Reddit's own notification system
- Shortened or redirected URL that obscures the final destination
- Message from a high-karma account that seems out of character for that account
How to protect yourself
- Enable two-factor authentication on your Reddit account
- Access Reddit only through typing reddit.com directly or bookmarked URLs
- Be sceptical of any DM claiming your account requires external verification
- Hover over links before clicking to inspect the destination URL
- Use a unique password for Reddit not shared with other services
How to report it
- Report phishing DMs and posts using Reddit's in-app report tool
- Report phishing domains via Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish
- Alert subreddit moderators if phishing content appears in a community they manage
Frequently asked questions
Does Reddit ever DM users about account issues?
Genuine Reddit admin communications appear as site notifications within the platform or in your inbox as modmail, not as DMs directing you to external login pages.