Discord Security Checklist

In the last year or two, Discord has been one of the primary methods of cultivating community for Web3 projects and companies. Discord can be very useful for keeping your community updated, getting to know your users, providing support, or simply saying "gm." With all of those benefits, there are some downsides, the biggest being scams.

In the Web3 space, Discord scams are incredibly dangerous since anyone can receive a direct message from someone that is pretending to be a server mod; they click on a link, sign a wallet transaction, and the next thing you know their entire wallet is drained. Not only that, but a mod's account can be hacked and the hacker can post official announcements with malicious links. Web3 Discord is the Wild West, and those who manage communities must be armed with the best tools and tactics to prevent scams!

Pinata was recently targeted for a Discord scam that happened overnight. Someone invaded the server with a bunch of bots named "Pinata" with our logo. Those bots sent direct messages to our users claiming Pinata had a token coming out soon (PSA: we don't) and provided a phishing website where the user could pre-purchase the token. It was quite a good looking website, stealing our branding and making it look legit. Once we found out what happened we jumped into action and learned quite a bit on the way. We hope these tips will help arm your community and prevent scams around your server!

Discord security can be broken into two main categories, Social Protection, and Tech Protection.

Social Protection

Social Protection involves using common sense and good security practices to help prevent social engineering. Most of these Discord scams use lots of social engineering, so we would recommend taking the following tips!

Never Click on Discord Links

This has to be number one: never click on links sent to you via Discord! Similar to not clicking on links in suspicious emails or texts, the same goes for Discord. This platform is especially vulnerable due to how it handles user tokens. If you read this tweet thread below you can learn how hackers took over a moderator's account with a well planned malicious link.

As the thread states,

“If you use Discord, don't click on any link, even if it's sent by your most trusted friend, ask them kindly to send it again via Twitter, Telegram, or any other medium of communication you use with them. If you don't know them, just ignore any link coming your way. ”

This is a simple yet effective way to prevent hacks into your personal account or server!

Discourage DMs

Another main tactic of hackers as stated before is using the DMs (direct message) to scam a user. One way to help prevent this is to inform your community that you will not DM them. You can even put it in your server profile. Make it abundantly clear that your team will not send DMs: put it in the welcome page, put it in the announcements, remind users constantly that you will not do this! You can even use a bot to send a message to users telling them to turn off their DMs for the server (we'll cover this later).

Raise Awareness

On the note of giving clear communication to your users, also be sure to raise their awareness. Web3 is full of new faces who have no idea what can happen to their crypto if they click on the wrong link or go in the wrong group. Always assume everyone in your server knows nothing about these scams or what can happen to them, and with that assumption give regular announcements, tips, and blog posts on ways to stay safe. One of my favorite resources is Ledger. Of course they have the most incentive to recommend security since they sell cold crypto wallets, but they also regularly talk about how people have been scammed in the past and how to avoid it in the future.

Tech Protection

That gives us a good transition into the other half of Discord security: technology. While some of the most effective protection against scams is preventing social engineering, there are plenty of technological advantages available to be more effective.

Use a Password Manager

Nothing is more dangerous than using the same password across every website. Oh yes, we are all guilty of doing this at one point or another. Password databases are leaked all the time and sold on the dark web regularly. If a hacker gets your email and password for one website, what do you think they're going to do next? Perhaps try your online banking, or maybe your Netflix account, and yes, your Discord account! If you are a prominent person in crypto and you run a Discord server, you are a target. But how are you going to keep track of all those passwords? I have over 100 logins across different websites, am I seriously going to have a random password for each one?

Enter the password manager. Using one of these changed my online footprint and has put me at ease when setting up a new login. There are a bunch of different brands you can choose from, but essentially a password manager is an online service that encrypts your data and helps you keep track of your passwords. They will typically have you set up a master password that can unlock the rest of your passwords, and in addition can set up biometrics like your fingerprint or Face ID to unlock the app. In addition they can generate random and complicated passwords for you to use in order to help keep every login different. Good ones are integrated into multiple devices so you can access every password with ease. They may cost a little bit of money, but nothing is more valuable than securing your digital footprint.

Enable MFA

Sometimes having good passwords is not enough, which is why it's also important to enable multi-factor authentication (MFA) on everything. MFA is a second step to logging into an online account. After you login with the username and password, it will ask for a code that you can receive either by email or text. This will make it much harder for someone to gain access to your accounts.

You should definitely enable this on your Discord account, and I would recommend using an authenticator app. Emails get hacked all the time, but so do phone numbers. Using email or text as your MFA is not always the best idea, thankfully there are some great authenticator apps that will generate random codes for you to use. They're also pretty easy to set up, so be sure to check that out if you want to be more secure.

Use a Bot

Finally, in reference to Discord, use a bot. Bots are made by developers for Discord to help run and maintain the server. One of the most popular ones out there is MEE6, and it's loaded with helpful moderation and security features. One of them I mentioned earlier is sending out a welcome message to new users, ours in particular will instruct users to turn off DMs right away to help prevent scams entering their inboxes.

Another helpful feature they have is preventing other bots from entering your server. As I said earlier we had this problem at Pinata where a bunch of bots joined overnight, posed as "Pinata," and sent DMs to loads of our users with a scam. You can prevent these bots from automatically joining by using a verification process. There is even a captcha bot that will require the user to complete a captcha to enter! Essentially, you will have special permissions set up for roles in the server that only those who pass the verification process can see the rest of the server and the members inside, otherwise they will see nothing. This is helpful because it prevents bots from having a list of targets to DM and causing the scam in the first place. Almost every Web3 Discord server will make their users go through this process! I would advise sticking with as few bots as possible. It is rare, but sometimes bots are hacked as well, and keeping them to a minimum will keep your risks low.

There is no one-trick-pony tactic to stop crypto scams on Discord. As you can tell from the tips above, it takes diligence on multiple fronts to make it harder on hackers. There is nothing that will guarantee your server will be safe, but there is plenty you can do to improve your chances!