Game Account Takeover Scams

Game account takeover scams target the accounts players build up over months or years of play — accounts containing rare items, high character levels, accumulated currency, cosmetics, and a history of purchases. Because these accounts can hold real monetary value on secondary markets, they are a direct target for theft.

The scammer's goal is to gain access to the account credentials and then change the associated email address and password before the legitimate owner can respond, locking them out. Once in control, the scammer may sell the account on grey-market platforms, strip valuable in-game items and sell them separately, use stored payment methods for further purchases, or hold the account to ransom.

Account takeover can happen through several routes. Phishing is the most common: a fake login page that mimics the game's official site captures credentials when the player attempts to sign in. Credential stuffing uses email and password combinations leaked from other data breaches, exploiting the fact that many people reuse passwords. Social engineering — posing as a friend, a game support agent, or a tournament organiser — manipulates the player into sharing a verification code or changing their linked email.

Game accounts often hold real value that players do not think of in purely financial terms — a beloved account with years of progress can feel irreplaceable. Account takeover can therefore cause significant distress beyond any monetary loss, which is why prevention is so much more effective than recovery after the fact.

The phishing route typically begins with a convincing message. A direct message on a gaming platform, a Discord notification, or a text or email informs the player that their account has been flagged, that they have received a prize or reward, or that they must verify their details to prevent suspension. The message contains a link to a website that replicates the game's official login design.

The player enters their username and password. These are captured immediately. The page may then redirect to the real site or show an error message. In the same moment, the scammer uses the captured credentials to log into the real account and begins changing recovery details.

Credential stuffing is less targeted: scammers use automated tools to attempt logins across many gaming platforms using email and password combinations from known data breaches. If someone uses the same password for their email and their game account, both can be compromised in sequence.

In social engineering variants, a player may be contacted by someone claiming to be a friend whose account was hacked, a tournament coordinator requiring account verification, or a support agent. The scammer asks the player to confirm their one-time login code — an authentication code the player has just received — claiming it is needed for verification. Sharing this code allows the scammer to complete the login and lock the player out.

Some takeovers occur through third-party cheating tools or 'boosting' services where the player willingly shares credentials, only to find their account stripped afterwards.

Gaming accounts have genuine value — both monetary and emotional. The investment of time and in some cases real money makes the idea of account suspension or loss alarming, which the phishing message exploits.

For younger players especially, the social dimension of gaming — knowing friends' accounts, seeing familiar usernames — can lower suspicion. A message that appears to come from a familiar gaming community or a well-known platform name feels safe.

Password reuse is extremely widespread and significantly amplifies risk. A single breach of a less secure site can expose the same credentials used for a high-value game account. Players are not always aware that their email and password have been exposed in a breach, or what consequences this might have for other services.

A player receives a direct message on a gaming platform informing them that their account has won a prize or been selected for a beta test. The message contains a link to a site that looks identical to the game's official login page. The player signs in. Moments later they receive a notification that their email address on the account has been changed. By the time they attempt to use the game's account recovery, the email linked to the account belongs to the scammer, and the recovery path is blocked. The account — containing years of progress, rare items, and linked purchases — is inaccessible.

Your [game] account has been reported. Log in to verify your identity or it will be suspended: [fake link]

Congratulations! Your account was selected for a free [item] reward. Claim here: [fake link]

Hi, I'm from [game] support. Can you confirm the code sent to your email so we can restore your account?

This is [username] — I got hacked and need you to verify your account on this link too: [fake link]

You've qualified for our beta programme. Sign in to confirm your place: [fake link]

Security alert: an unrecognised device tried to access your account. Confirm your login at [fake link]

Always navigate to the game's official site by typing the address directly or using your saved bookmark — never via a link in a message, even one from an apparent friend or support contact. Check the domain in your browser carefully before entering any credentials.

Legitimate game support teams do not ask players to share one-time login codes, authentication codes, or verification codes. If someone asks you to read out or paste a code you just received, treat it as a takeover attempt regardless of how they are identifying themselves.

Check whether your email address has appeared in known data breaches by using a reputable breach-checking service. If it has, update the password for that email account and any other service that uses the same credentials.

Enable two-factor authentication on your game account and the associated email address. An authenticator app is more secure than SMS-based verification for this purpose.