How to avoid scammers on Mastodon and the Fediverse

Like any other social network, you may run into scammers on Mastodon and the wider Fediverse. Here’s how to spot them and what to do if you’re unsure.

Scam: “We need you to verify your account”

Someone posing as a Mastodon server admin gives some made-up reason why they need you to verify your account, perhaps claiming you’ve done something suspicious. They then provide you a link you click on which asks for your credit card details or personal details. Do not click this link or give them any information, it is a scam.

No genuine admin will ever demand you verify your account. There is a verification system on Mastodon but it’s entirely optional and it does not involve clicking on strange links or giving out details.

Scam: “We want to pay you for posts / form a partnership / offer you a reward”

This scam has someone posing as a Mastodon admin offering cash rewards for making popular posts as part of some kind of “partnership”, perhaps telling you they’ve picked you specifically as a popular account. This is fake, do not reply or engage with such a post.

No genuine admin will ever do this. There is no reward scheme on Mastodon, no one is paid for their posts. The scammers just want to steal your bank details.

Scam: “Please change your account’s email address temporarily”

This is a more subtle scam, where someone posing as a Mastodon admin claims there’s been a database error and they need you to temporarily change your account’s email address to one they give. Do not do this! If you change your email to the address they give, they will be able to take over your account by using the “forgot my password” link on the login page.

No genuine admin will ever ask you to do this. There is never any legitimate reason for such a request.

What do I do if I see a scam post?

  1. Do not click the link, do not reply to the scam post
  2. Click on ⋯ on the scam post
  3. Click “Report”
  4. Follow the on-screen instructions for reporting (If you see an option to forward the report, make sure you’ve switched this on as it will greatly speed up the process of deleting the scammer’s account)

What if I’m not sure if it’s a scam?

If you’re ever unsure about a request from an admin, contact your server’s admin directly using their official contact details. By contacting your admin directly, you can check with them if a message is genuine and avoid any fake admins.

Should I be embarassed if I fell for a scam? Should I make fun of people who fall for scams?

No! Do not be embarassed if you fall for a scam, and do not make fun of scam victims.

Everyone can fall for scams, everyone has something in life they’re not famliar with, everyone has off-days. If you fall for a scam, it just means you’re a human being and you should not feel ashamed. If you feel up to it, tell people what happened and ask for support in stopping the scammers.

It is really, really important not to make fun of people who fall for scams, partly because it’s blaming the victim, but also because the scammers actively rely on victims being made fun of. Scammers WANT their victims to feel too embarassed to warn others, so that the scammers can carry on trying to get even more victims.

The best way to fight scammers is to be supportive and friendly to victims, and encourage them to report what has happened without feeling ashamed. This solidarity makes life more difficult for the scammers, because their victims will be more likely to report the scams.

What if the scam is coming from an account I trust?

As noted in the “please change your email” scam above, scammers may try to take over trustworthy accounts and use these to spread their scams. This is why if you’re in any doubt you should ask your server admin directly instead of responding to suspicious posts.

I am a server admin. How do I stop scammers signing up on my server?

All scammer accounts on Mastodon so far have been on servers with instant sign-ups.

Set your server to only allow sign-ups with approval, so you can screen accounts. This alone seems to put the scammers off signing up on your server:

  1. On your server website go to Preferences
  2. Click Administration
  3. Click Server Settings
  4. Click the Registrations tab at the top
  5. Set “Who can sign up” to “Approval required”
  6. Click “Save Changes”

↩ Back to the front page