VYPR
researchPublished Jul 7, 2026· 1 source

Reddit and Discord Users Targeted by Social Engineering Scam for Account Takeover

A prevalent social engineering scam uses fake account reports on Reddit and Discord to trick users into revealing login credentials or verification codes, leading to account compromise.

A sophisticated social engineering scam is targeting users on popular platforms like Reddit and Discord, employing a deceptive tactic that leverages fabricated account reports to steal user credentials. The scam typically begins with an unsolicited message from a stranger claiming that their account has been reported, and that the reporting account bears a resemblance to the victim's. In some variations, the scammer might claim they accidentally reported the victim's account and need assistance to rectify the error.

This elaborate ruse bypasses traditional malware or malicious links, relying solely on psychological manipulation. The scammers' primary objective is to gain the victim's trust and coerce them into divulging sensitive information, such as login credentials or one-time verification codes. Once obtained, this information is used to hijack the victim's account, change passwords, and lock them out, or to alter the account's associated email address to one controlled by the attacker.

The scam unfolds through a carefully orchestrated conversation. After initiating contact with a false report claim, the scammer avoids direct confrontation if the victim denies involvement. Instead, they maintain engagement by suggesting a mutual mistake and offering to help resolve the issue. This is followed by the presentation of fabricated evidence, often a convincing-looking but fake email from Reddit, complete with a ticket number and a countdown timer threatening account suspension or a ban.

Crucially, the scam preys on the victim's desire to resolve a perceived issue quickly. The fake email, with its official tone and urgent deadline, creates a sense of panic, prompting users to act impulsively. The scammers then leverage this urgency by requesting a "verification code" that Reddit would supposedly send. In reality, this code is a genuine login or account recovery code, which the victim unwittingly provides to the scammer, thereby granting them access.

It is vital for users to understand that legitimate platforms like Reddit do not operate this way. Reddit does not facilitate communication between users involved in reports, nor does it request account verification through direct messages or external platforms like Discord. Appeals and moderation processes are handled directly through Reddit's official channels. The fake countdown and threats are merely tools to accelerate the victim's decision-making process.

The ultimate goal of the scammer varies. Some aim for immediate account takeover and lockout, while others might demand payment, such as gift cards, in exchange for restoring account access or preventing account deletion and misuse for further fraudulent activities. The scam highlights the effectiveness of social engineering when combined with a plausible, albeit false, narrative.

To protect themselves, users should never share login credentials or verification codes with anyone, regardless of their claimed affiliation. Changing account details or sending money based on unsolicited messages or threats should be avoided. Users should always verify security concerns by logging into their accounts directly through official websites or applications, rather than clicking links in suspicious emails or messages. Enabling two-factor authentication and following official account recovery procedures are essential steps in securing accounts against such threats.

Synthesized by Vypr AI