Phishing Scams on Discord
Discord's server-based communities and direct-message system are exploited by phishers who clone official bots, send fake nitro giveaways, and hijack high-value accounts.
Part of: Phishing
Last reviewed: 1 June 2026
Discord's design centres on trust within communities — members expect messages from server admins and popular bots to be legitimate. Phishers exploit this trust by impersonating well-known bots, sending fake Nitro subscription offers, or mimicking server moderation accounts to steal login credentials and take over accounts.
Once a Discord account is compromised, attackers use it to spread further phishing links to the victim's entire friend list and every server they belong to, creating rapid chain infections across gaming and NFT communities.
How this scam works on Discord
The most common Discord phishing vector is a fake Nitro gift link sent via DM or posted in a server. The link leads to a convincing replica of the Discord login page or a Steam-style authentication screen. Victims who enter credentials have their accounts captured within seconds.
A second major vector is malicious bot invitations. A phisher posts a 'must-have' utility bot that requests excessive permissions — including the ability to read message history and DM all members. Server moderators who approve the bot unknowingly give attackers access to all member data.
NFT and gaming communities are especially targeted with fake 'mint' or 'claim reward' links posted in announcement channels by compromised moderator accounts, sending victims to wallet-draining sites.
Common red flags
- Unsolicited DM offering free Nitro or a prize with a suspicious link
- A bot invitation requesting admin-level permissions for basic functions
- A posted link in announcements or general chat that looks like Discord but uses a slightly different domain
- Server moderator suddenly DMing you to 'verify your account'
- Login page that appears after clicking a Discord link but is not at discord.com
- Urgency around a limited-time claim or a warning your account will be suspended
How to protect yourself
- Enable two-factor authentication on your Discord account immediately
- Never click Nitro gift links from accounts you do not know personally
- Check bot permission requests carefully — reject any bot needing permissions it does not need for its stated function
- Verify any announcement link by navigating directly to the official site rather than clicking
- Use a password manager so a fake login page cannot capture your real password
- Revoke access to any unfamiliar authorised applications in Discord account settings
How to report it
- Report the phishing message or account using the three-dot menu inside Discord
- Report the phishing URL to Discord's Trust and Safety team at dis.gd/report
- Report to your national cyber reporting centre
Frequently asked questions
Can I get phished on Discord without clicking a link?
Clicking a malicious link is the primary vector, but a compromised bot with broad permissions can harvest your data without you clicking anything. Review and revoke bot permissions regularly in your account's Authorised Apps settings.