Researchers at Malwarebytes are warning about a social engineering scam spreading across Reddit and Discord that can hand your account straight to a stranger, with no malware or malicious links involved. It starts with a simple message: someone claims you falsely reported them, or that they accidentally reported your account by mistake. Either way, there is no report. The claim is just the opening line of a well rehearsed script.
How the scam works
If you deny involvement, the scammer does not argue. They keep the conversation going, then send "proof" in the form of a screenshot made to look like an official Reddit email, complete with a ticket number, a claim that a formal investigation is underway, and a countdown, usually 12 hours, before your account is supposedly suspended or banned. Some versions tell you to message a "Reddit employee" on Discord to sort it out. None of it is real. Reddit does not ask people involved in a report to contact each other, and it does not handle account checks or appeals through direct messages or Discord.
The urgency is the whole point. To "verify" that you were not involved, the scammer says a supervisor needs you to read back a code Reddit is about to send. While you are talking, they trigger a real login or account recovery on your account, so the genuine verification code lands in your inbox exactly when you were told to expect it. Read it back, and they use it to sign in, change your password, and lock you out. In other variants they push you to change the email linked to your account, then demand a gift card to "fix" the problem they created.
How to protect yourself
Never share a login or verification code with anyone, even someone claiming to be platform staff, and never change your account email at a stranger's request. Treat any unexpected verification code as a red flag that someone is trying to get into your account. If a security email arrives out of nowhere, do not click its links; sign in directly through the official site or app instead. Turn on two factor authentication using an authenticator app, which blocks an attacker even if they talk you out of a one time code. This is the same code reading trick that powers business account takeovers, like phishing kits that hijack browser sessions to bypass MFA.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.