Fake-Moderator Phishing: Account-Takeover Scams Impersonating Reddit Staff

Among the most common ongoing security harms experienced directly by ordinary Reddit users is a class of social-engineering attack built around impersonating Reddit's own authority figures. In the 'fake moderator' or 'fake admin' scam, criminals send private messages or chat requests posing as a subreddit's moderation team, Reddit's administrators, or an 'official review' or 'verification' service. The messages are engineered to create urgency and fear: the target is told their account has violated a rule, is about to be banned, or must complete a 'verification' or 'suspension appeal' to avoid losing access.

The payload is almost always a link to a counterfeit page designed to look like a legitimate Reddit verification or login screen. When the victim enters their credentials there, the phishing site harvests the username and password and, in more sophisticated variants, prompts for the two-factor authentication code as well — capturing and relaying it in real time so the attacker can complete the login before the code expires. The result is a full account takeover; in some versions of the scam the victim is also pressured into sending a payment to 'resolve' the fabricated violation.

Scammers gravitate toward conditions that lower a target's guard. Security guidance documents that they tend to operate in large, busy subreddits where unsolicited messages attract less scrutiny, and that they often single out new accounts or users who have just posted about sensitive or high-stakes topics — people who are plausibly anxious about moderation and therefore more likely to comply with an official-sounding demand. The impersonation of a position of authority over the user's account is the core lever: because moderators and admins genuinely can sanction accounts, a message that convincingly claims that power is unusually effective at producing compliance.

This attack class is significant because it is the form of account compromise most users will actually encounter. Reddit's large breaches involved attackers phishing employees or exploiting platform-level flaws; the fake-moderator scam, by contrast, attacks the user directly and defeats both passwords and 2FA the same way the corporate phishing attacks did — at the human layer, by convincing a person to type their secrets into an attacker-controlled page rather than by breaking any technology. It mirrors, at consumer scale, the exact technique that succeeded against Reddit staff in 2023.

The recommended defenses are correspondingly behavioral and configurational rather than purely technical: users are advised to treat unsolicited 'official' messages with suspicion, to navigate to Reddit directly rather than through links in messages, to disable chat requests from unknown accounts, and to enable two-factor authentication — while understanding that 2FA alone does not stop a real-time phishing relay that captures the code as it is entered. The persistence of the scam underscores that, for the typical user, the dominant account-security threat on Reddit is not a database breach but a convincing message exploiting the platform's own moderation authority against them.