You’re just cruising along in your day when you get a chat on either Discord, Steam, or Twitter/X from someone you may not have heard from in a while - or even a complete stranger. They want you to know that they meant to report someone for fraud but ‘accidentally’ reported your account instead, and you need to chat with an admin to get this resolved right away (usually within 12-48 hours) unless you want to get banned from the platform. This admin is almost always on Discord or a similar communication program, not through some official channel where you respond to a ticket or similar, because who does that?
Of course you want to not get banned from whatever platform this applies to, so you go on Discord (or similar). The person assures you that you’re not likely in any trouble but they need to do an investigation. The person will require you to do certain things - read out a code sent via email or in your authenticator (especially if you’ve set up 2FA/MFA), change your email address, log out of your account, and so on.
The next thing you know, you’re locked out of your account and the scammer has control.
Note: A slightly different version has shown up on BlueSky, with some differences - the scammer tells you that there’s an impostor account, then asks for your discord username as “bluesky won’t let you send images in a DM”. Whether you give them your Discord username or not, they let you know that they accidentally reported your account, and the scam proceeds from there. It’s the exact same scam, just different opening text.
How to Protect Yourself
Red flags that should catch your eye:
Supposedly, you have to be told about this because you ‘would not be notified’ - a genuine fraud investigation would not rely on the ‘victim’ letting someone know that they’re under investigation. They have your contact information and they will use it if they need to.
Keep an eye out for poor grammar and the word “Kindly”. While individuals from an organization might have bad grammar, it would not be normal to see it in a professional template from a North American (which all of the above are) company.
As always a “do this within 12-48 hours or the account will be banned” is a common scammer tactic used to scare you.
Any organization worth its salt uses a ticketing system to track fraud reports/appeals/discussions/everything else. This may interface with an email system, but it leads to some kind of ticketing system. Not an informal “come to Discord to have a chat with this person and we’ll fix things for you”.
Fraud investigators have a variety of internal tools. They can change your email and do investigations without you ever having to touch a single thing on your account. Anybody asking you to change your email address to something else is not legit. (And needless to say, you should never be giving security codes to random people on Discord!)
Heads of security are extremely busy people. They are often up to their eyebrows in politics and paperwork. They have staff to be doing the day-to-day security work; they’re not going to invite random people to reach out to them on Discord to resolve issues. (This is similar to how you are not going to get a call from a Sergeant or a Lieutenant about missing court; they have staff for that.)
Instead, report the compromised account to the actual security people, and let them investigate.