Phishing Scams on Discord
Discord's server-based communities and direct-message system are exploited by phishers who clone official bots, send fake nitro giveaways, and hijack high-value accounts.
Part of: Phishing
Last reviewed: 1 June 2026
Discord's design centres on trust within communities — members expect messages from server admins and popular bots to be legitimate. Phishers exploit this trust by impersonating well-known bots, sending fake Nitro subscription offers, or mimicking server moderation accounts to steal login credentials and take over accounts.
Once a Discord account is compromised, attackers use it to spread further phishing links to the victim's entire friend list and every server they belong to, creating rapid chain infections across gaming and NFT communities.
How this scam works on Discord
The most common Discord phishing vector is a fake Nitro gift link sent via DM or posted in a server. The link leads to a convincing replica of the Discord login page or a Steam-style authentication screen. Victims who enter credentials have their accounts captured within seconds.
A second major vector is malicious bot invitations. A phisher posts a 'must-have' utility bot that requests excessive permissions — including the ability to read message history and DM all members. Server moderators who approve the bot unknowingly give attackers access to all member data.
NFT and gaming communities are especially targeted with fake 'mint' or 'claim reward' links posted in announcement channels by compromised moderator accounts, sending victims to wallet-draining sites.
Common red flags
- Unsolicited DM offering free Nitro or a prize with a suspicious link
- A bot invitation requesting admin-level permissions for basic functions
- A posted link in announcements or general chat that looks like Discord but uses a slightly different domain
- Server moderator suddenly DMing you to 'verify your account'
- Login page that appears after clicking a Discord link but is not at discord.com
- Urgency around a limited-time claim or a warning your account will be suspended
How to protect yourself
- Enable two-factor authentication on your Discord account immediately
- Never click Nitro gift links from accounts you do not know personally
- Check bot permission requests carefully — reject any bot needing permissions it does not need for its stated function
- Verify any announcement link by navigating directly to the official site rather than clicking
- Use a password manager so a fake login page cannot capture your real password
- Revoke access to any unfamiliar authorised applications in Discord account settings
How to report it
- Report the phishing message or account using the three-dot menu inside Discord
- Report the phishing URL to Discord's Trust and Safety team at dis.gd/report
- Report to your national cyber reporting centre
Frequently asked questions
How do fake Discord Nitro giveaway scams typically work?
A compromised or fake account DMs you or posts in a server claiming you've won free Nitro, with a link leading to a fake Discord login page designed to steal your credentials and session token. Discord's real giveaways don't require you to log in again through an external link — always check the URL matches discord.com exactly.
A "Discord bot" DM'd me asking to verify my account — is that legitimate?
Official Discord system messages don't arrive as DMs from bots asking you to click a verification link — this is a common phishing pattern designed to steal your login token. Report and block the bot or account through Discord's built-in tools rather than clicking anything it sends.
My Discord account was hijacked through a phishing link — how do I recover it?
Change your password immediately from a trusted device if you still have access, enable two-factor authentication, and use Discord's account recovery support if you've been locked out. Warn friends and servers you're part of that the account may send scam messages until it's fully secured.
Can I get phished on Discord without clicking a link?
Clicking a malicious link is the primary vector, but a compromised bot with broad permissions can harvest your data without you clicking anything. Review and revoke bot permissions regularly in your account's Authorised Apps settings.