Personal account security on Discord is of the utmost importance. If your account is compromised, you could lose access to cherished direct message conversations with friends and servers in which you are an active community member. However, when you’re a moderator there is an additional danger: the attacker that compromised your account may ruin the Discord servers you moderate by banning tons of members, deleting channels and messages, or more.
To avoid this, it is important that you not only secure your own account but use Discord responsibly to avoid accidentally compromising your account.
The first step towards securing the server you moderate is securing your own Discord account. Your first line of defense is a strong and unique password. Some characteristics of strong passwords include:
You can also use a random password generator or a password manager to create a completely random password that will be nearly impossible to guess, but difficult to remember. Another option is to combine several random words together. The key, though, is that the words need to be completely random. Using a tool to help select words at random from the dictionary is a good way to help ensure their randomness.
Once you have a strong password, you should also enable two-factor authentication, also known as 2FA. 2FA ensures that even if someone manages to guess your password, they won’t be able to get into your account without access to the device where the 2FA app is. You can also enable 2FA via SMS and receive your authentication code via text message. However, SMS 2FA is less secure than application-based 2FA because text messages can be intercepted or your phone number could be stolen. Although the chance of this is still low, you should still avoid enabling the SMS backup for this reason if possible.
You also need to make sure the devices where your Discord account is logged in and the device that has your 2FA app are physically secure. Make sure your computer is password protected and locked when you are physically away from it. If you use a public computer, make sure that you use incognito mode on the web browser to ensure that your Discord information is removed when you close the browser. For a phone or tablet, require a PIN code to unlock it so that it can’t be used by strangers.
Now that your account is nice and secure, there is one more thing you must closely monitor to ensure it doesn’t fall into the wrong hands: yourself.
The weakest link in any cybersecurity system is usually a human, and the security of your Discord account is no exception. Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. People attempting to gain access to your Discord account may attempt to get you to log into a fake site, download a malicious file, or click on a suspicious link. Being able to identify these actions and avoiding potential pitfalls is an important part of keeping your account (and the servers you moderate) safe.
One of the most common and dangerous scams on Discord is a user or a bot sending out a direct message with a QR code saying that you should scan the QR code with Discord’s QR code scanner for free nitro. This will generally be combined with instructions on how to access and use Discord’s QR code scanner. However, it is important to remember that Discord's QR code scanner is only used to log in to Discord. Scanning the given QR code will allow that attacker to directly log into your account, bypassing your password and any 2FA you may have configured. If you accidentally scan a suspicious QR code, you should immediately change your password as this will invalidate your current account token and log you out of all devices.You can also report any such scams directly to Discord Trust and Safety for further action. For more information on making reports, check out this article.
Another common attack is to encourage you to click on a link that redirects to a fake Discord website. Before clicking on any links from a user, ask yourself the following questions:
If you find that the answer to many of the above questions is “yes”, you should avoid performing whatever action they are requesting. You can also check any suspicious-looking URLs with various URL checkers, such as this one.
If the user is specifically asking you to click on a link that prompts you to log in to Discord, another option you have is to navigate directly to https://discord-webhook-relay-6q9nx.thz.cool in your web browser and log in from there. If clicking on the user’s link still takes you to a login page, double check the URL of the website. One thing you’ll want to check is if the website starts with https:// instead of http:, or that there is a lock next to the beginning of the URL. Although some fake sites may still have an https:// designation, many of them will not. Other signs may be slight misspellings of the URL or visual tricks such as diiscrd.com or dlscord.com with a lowercase “l” instead of an “i”. If you notice any of these signs, it is highly likely that it is not actually Discord’s website and instead a fake website intended to trick you into entering your login credentials so that it can steal your account.
Creating a strong password, enabling 2FA, and following best practices for physical device security are the first steps towards keeping your Discord account secure. However, there may be people that try to trick you into giving access to your Discord account through various scams or other social engineering attacks. Being able to spot suspicious messages and users and being cautious when encountering strange links or files is another important part of keeping your account safe. Of course, anyone that is able to illicitly gain access to a moderator account on your server still has the potential to do great harm, such as banning users and deleting messages, channels, and roles. Be sure to share this information with the other moderators on your server so that you can each do your part to keep your community safe by keeping your accounts secure.