Protecting your Discord server from scams: the complete guide (2026)
By Luca ยท updated 11 June 2026
The faster your server grows, the more interesting it becomes to scammers. That's no coincidence: in a big server, every scam link reaches hundreds of people at once, new members don't know the mods by sight yet, and during rapid growth one suspicious account stands out less. Scammers actively hunt for servers with open invite links and few filters โ and work their way in using hacked accounts.
The good news: with a handful of settings and the right filters you'll catch the vast majority, without your community noticing a thing. This guide walks through all of it: the scams doing the rounds right now, the settings every server needs, and why text filters alone aren't enough.
The 5 most common Discord scams in 2026
1. Fake Nitro links
The classic: "Free Nitro, today only!" with a link to a domain that looks almost real โ discord-nitro.gift or dlscord.com. Anyone who logs in hands over their account, after which that account automatically spreads the link further. Spot it by the artificial urgency and by the domain: genuine Nitro gifts always come from discord.com, with no hyphens or typos.
2. Celebrity giveaway screenshots
A screenshot of a supposed MrBeast tweet or DM: "Congratulations, you've won $1,000 โ claim here." Because the scam is an image, a text filter sees nothing suspicious in the message at all. Remember: genuine giveaways from famous names never run through random Discord servers or QR codes in screenshots.
3. Phishing DMs ("your account will be deleted")
Members get a DM from "Discord Support" or "Trust & Safety": their account has supposedly been reported and will be deleted within 24 hours unless they "verify" via a link. Discord never sends threats like this by DM. Spot it by the deadline, the threatening tone and an avatar mimicking the Discord logo.
4. Lookalike moderator accounts
A scammer copies the name and avatar of one of your mods and DMs new members with "verification instructions" or an exclusive role. One click on the profile unmasks them: the lookalike has no roles in your server and the account is often only a few days old. But new members don't know that โ unless you tell them.
5. Malware in attachments
An .exe, .scr or zip disguised as "free cheats", "cracked Photoshop" or "haha look at this photo of you". One download and a token stealer pulls passwords and Discord tokens straight out of the browser. Spot it by file types nobody normally shares and by accounts that post files immediately after joining.
Basic settings every server should have
Before you add a single bot, get these right in your Server Settings:
- Verification level on "High". New accounts then have to be a member for 10 minutes before they can type โ just long enough to frustrate most throwaway accounts.
- 2FA required for moderators. One hacked mod account does more damage than a hundred spam accounts. Require two-factor authentication for everyone with kick, ban or delete permissions.
- Minimise role permissions. Nobody outside the team needs @everyone pings, webhook management or "Manage Messages". Go through every role: the fewer permissions by default, the smaller the damage from a hack.
- Manage your invite links. Delete old permanent invites and keep one official link. Stray invites from ex-members are a back door you can't monitor.
Setting up Discord AutoMod โ and where it stops
Discord's built-in AutoMod is free and definitely worth using: you set up keyword lists (for example "free nitro" and "steam gift"), block mention spam and can even write regex rules. The big advantage: AutoMod blocks messages before they become visible.
But AutoMod has one blind spot scammers know all too well: text filters only see text. To AutoMod, a screenshot of a fake giveaway contains zero readable words โ the message sails straight through. Which rules you can and can't leave to AutoMod is covered in AutoMod vs AI moderation.
Why image scams slip through your filters
Scammers know that virtually every serious server runs text filters. So they put their scam inside an image: a screenshot of a fake tweet, a "winners list" or a QR code. To catch those you need OCR (optical character recognition) โ software that reads the text inside the image and then runs it through the same filters.
SlakBot's anti-scam module does exactly that: every uploaded image is scanned for scam patterns, from fake Nitro texts to giveaway screenshots. Together with the AI Moderator โ which also judges the context and intent of text โ it runs entirely locally, so messages never go to external AI services.
Security checklist
Tick them off โ if you've covered these ten points, you're among the best-protected servers:
- โ๏ธ Verification level on "High" (or "Highest" during a raid)
- โ๏ธ 2FA required for all moderators
- โ๏ธ @everyone/@here permissions for the team only
- โ๏ธ Old and permanent invite links cleaned up
- โ๏ธ AutoMod rules active for scam keywords and mention spam
- โ๏ธ Anti-scam filter with OCR for images
- โ๏ธ A dedicated channel where members can report scams
- โ๏ธ Members warned that mods never DM first
- โ๏ธ Webhooks and bot permissions reviewed every quarter
- โ๏ธ Audit log checked weekly for odd role or channel changes
SlakBot's anti-scam (with OCR for images) and AI Moderator are completely free โ set up in a few minutes.
Frequently asked questions
Does anti-scam work in DMs too?
No. Bots only see messages in server channels โ DMs between members are private and no bot can access them. So warn your members explicitly: mods never DM first, and any "support DM" with a link is suspicious.
What do I do if a scam has already been posted?
Delete the message immediately and time out or ban the account. Was it a hacked member? Ask them outside Discord to reset their password and enable 2FA before you lift the ban. Then post a short announcement so members who already clicked change their password too.
Does the verification level really help?
Yes โ against the bulk. Throwaway accounts and simple spam bots run aground on the 10-minute rule. But hacked existing accounts (often members for months) slip straight through. Think of the verification level as your first layer; filters are your second.