Reddit "verify your account" DM from the moderation team is a phishing scam
A DM that claims to be from Reddit mods or admins, sometimes with a screenshot of your own post, telling you to "verify" your account at a link, is a credential-phishing attack. Reddit moderators do not message you to a login page. Here is how the scam works and how to stay safe in 2026.
Is a Reddit DM telling me to verify my account real?
Verdict: no. An unsolicited Reddit DM telling you to "verify" your account through a link is phishing. Reddit moderators and admins do not direct-message you to a login or "verification" page. The message is built to scare you, often by attaching a screenshot of your own post and threatening a ban, so you click a link to a fake Reddit login that captures your username and password. Do not click the link. Never enter your Reddit password on any page you reached from a DM. Log in only by typing reddit.com yourself or opening your saved bookmark, and turn on two-factor authentication.
Why this is spreading now
Security researchers and Reddit's own r/Scams community have flagged a surge in "fake moderator" direct messages through mid-2026. F-Secure describes it plainly: criminals impersonate moderators to "intimidate victims into completing verification steps" and send them to fake pages, and the message often includes screenshots of the victim's own posts to seem credible (F-Secure, "Reddit scams: what you need to know"). The hook is fear of losing an account people have built up over years, and the payoff for the attacker is a working Reddit login they can take over, repost spam from, or sell.
What the scam looks like
It almost always starts in your Reddit inbox, as a private direct message or chat, not as a comment or a modmail thread. The sender name is dressed up to look official: something like "Reddit Moderation Team", "r/[yoursubreddit] Mod", or a username with "admin", "support", or "review" in it. Some copy the orange Reddit branding into their avatar to fake a verification look.
The message itself follows a script. It tells you your account, or a specific post, is "under review", has been "reported", or "violates policy", and that you will be banned or permanently suspended unless you "verify" or "appeal" within a short deadline. To make it land, the scammer often pastes a screenshot of your actual post, the one they are pretending is in trouble. Seeing your own content quoted back at you is what flips a generic message into something that feels personal and urgent.
Then comes the link. It points to a page that looks like Reddit's login or a special "verification" form, but the address is not reddit.com. It is a lookalike. Whatever username and password you type there goes straight to the attacker. If the page also asks for your two-factor code, the attacker may try to use it in real time to get past that too, then change your password and lock you out.
The fake addresses to watch for
Reddit's real login lives on one place only: reddit.com. Its official emails come from reddit.com and redditmail.com addresses, and links in those genuine emails point back to reddit.com (Reddit Help, "How do I know if a message from Reddit is official?"). Anything else asking for your Reddit password is a fake. These are illustrative lookalike patterns, not live sites, to show the shape the scam reuses.
- reddit-verify[.]com (Reddit does not run account verification on a separate "verify" domain)
- reddit-team-appeal[.]net (a "mod team appeal" host is not Reddit; appeals happen on reddit.com)
- reddit-support-login[.]help (Reddit's login is on reddit.com, never a "support-login" domain)
- account-reddit[.]review (brand name shuffled onto a cheap TLD is a classic phishing tell)
The trick that catches people is that the page behind these addresses can be a pixel-perfect copy of the real Reddit login. The clone is convincing. The address bar is the part the attacker cannot fake. So the only reliable check is the registered domain, not how the page looks.
Check a suspicious link right now
Got a "verify your Reddit account" link in a DM and not sure about it? Paste it below. Our 3-layer engine (Local + APIs + AI) follows the link, reads the page it lands on, and returns a verdict in about three seconds. Free, no signup.
How real Reddit moderation actually works
Knowing the genuine process is the fastest way to spot the fake. A few facts that the scam relies on you not knowing.
Moderators do not private-message you. Subreddit moderators act through public removals, mod comments, and modmail, the official channel that is visible to the whole mod team. A one-on-one DM that is not in modmail is not an official mod action. If a "mod" reaches out in your private inbox, treat it as suspect by default.
Reddit does not verify accounts through a link. There is no "verify your account or be banned" flow that sends you to an external login page. Reddit's genuine messages do not ask you to re-enter your password on a separate site, and legitimate verification links do not require you to type your password (Reddit Help). Any message that does is the scam.
Real bans and warnings appear inside Reddit. Account actions show up on reddit.com itself and, for genuine admin notices, may also come by email from a reddit.com or redditmail.com address that links back to reddit.com. They do not arrive only as a DM with a countdown and a strange link.
How SafeBrowz catches the fake login page
The DM is the bait, but the damage happens on the page. That is the layer a detection engine can break. Here is what SafeBrowz does with the lookalike address when you open or paste it, using its 3-layer detection (Local + APIs + AI).
- Layer 1, local detection, runs inside the browser with 60+ URL pattern signatures and 550+ brand signatures. It resolves the final landing host and checks whether a known brand, in this case Reddit, is appearing on a domain that is not Reddit's official one. A page that puts "reddit" in the host or imitates Reddit's login while sitting on something like a "-verify" or "-appeal" domain is flagged content-free, before the login form even finishes rendering. The clone does not have to fool anything. The mismatch between the Reddit brand and a non-Reddit domain is enough.
- Layer 2, reputation and API checks, aggregates threat intelligence including Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and scam-TLD signals, so a lookalike that has already been reported by someone else is caught on reputation alone.
- Layer 3, AI content analysis via our proxy (Premium), reads the live page in 100+ languages and recognizes a login-form-and-credential-capture layout impersonating a brand. This is what flags a brand-new clone that no blocklist has seen yet, the moment it loads.
Honest scope: SafeBrowz flags the fake Reddit login page before you type into it, which is the right place to stop this. It cannot pull back a password you have already submitted, which is why the human habit, never logging in from a DM link, plus two-factor authentication, sits alongside the engine. The free browser extension does this on desktop, and the SafeBrowz Android app on Google Play applies the same engine to links you open on your phone, where most of these DMs are read.
Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
Red flags: when a Reddit "mod" message is a scam
- It arrived as a private DM or chat, not as a modmail thread or a public mod comment. Real mod action is not a one-on-one inbox message.
- It threatens a ban or suspension with a deadline. Manufactured urgency, "verify within 24 hours or lose your account", is the core pressure tactic.
- It includes a screenshot of your own post. Attackers add this to feel personal and official. It proves nothing; your posts are public.
- It sends you to a link to "verify", "appeal", or "confirm" your account. Reddit does not move account verification to an external page.
- The link is not exactly reddit.com. Extra words, hyphens, an odd ending like .help or .review, or "reddit" buried inside a longer host are all tells.
- The page asks for your password, and maybe your two-factor code. A genuine Reddit verification link does not ask you to retype your password on a separate site.
Any one of these is reason to stop. Two or more, and you should assume the message is hostile and delete it.
What to do right now
- Do not click the link, and do not reply. Replying tells the scammer the account is active and worth a second attempt.
- Check it on Reddit itself. Open a new tab, type reddit.com, and look at your account. Real warnings and bans appear there. An empty inbox of official notices means the DM was fake.
- Log in only by typing reddit.com yourself. Never enter your Reddit password on a page you reached from a DM. Type the address or use a saved bookmark, and read the domain in the address bar before you type anything.
- Turn on two-factor authentication. Under account settings, enable 2FA, ideally with an authenticator app. If a password ever leaks, this stops a takeover.
- Report and block the sender. Use Reddit's report option on the message, then block the account. You can also restrict who can DM or chat you in your chat and messaging settings.
- If you already entered your password, change it on reddit.com immediately, sign out of all sessions, enable 2FA, and check your account for posts or messages you did not make.
Updated June 30, 2026.
Block the fake Reddit login before you type
SafeBrowz is a free browser extension for Chrome, Firefox and Edge (Safari coming soon) plus a live Android app that follows a "verify your account" link to where it lands and flags a fake Reddit login before you enter anything. It recognizes 550+ brands, auto-flagged when a page tries to impersonate them, with AI content analysis in 100+ languages for brand-new clones. Free forever, no account needed. Questions: [email protected].
Bottom line: a Reddit DM from the "moderation team" telling you to verify your account at a link is phishing, because real mods do not message you to a login page. Do not click, log in only by typing reddit.com yourself, turn on two-factor authentication, and put SafeBrowz on your browser so the fake Reddit login page gets flagged before you ever type your password.
Frequently asked questions
Do Reddit moderators DM you?
No. Subreddit moderators act through public removals, mod comments, and modmail, which is visible to the whole mod team. A one-on-one private DM or chat claiming to be from a mod is not an official moderation action. If a "moderator" messages your private inbox telling you to verify or appeal at a link, treat it as a phishing attempt.
Is the Reddit "verify your account or be banned" message real?
No. Reddit does not verify accounts through an external link, and it does not threaten a ban unless you "verify" within a deadline. That message is a credential-phishing scam designed to scare you into entering your Reddit password on a fake login page. Real account warnings appear on reddit.com itself.
Why did the scammer include a screenshot of my post?
To make the message feel personal and official. Your posts are public, so anyone can screenshot them. Seeing your own content quoted back is meant to convince you the "mod" really is reviewing your account. It proves nothing about who sent the message.
What domain is the real Reddit login on?
Only reddit.com. Reddit's official emails come from reddit.com and redditmail.com addresses and link back to reddit.com. Any login or "verification" page on a different domain, such as a "reddit-verify" or "reddit-appeal" host, is fake, no matter how closely it copies the look of the real login.
I entered my Reddit password on the fake page. What now?
Go to reddit.com directly and change your password immediately, then sign out of all other sessions. Turn on two-factor authentication. Check your profile for posts, comments, or messages you did not make, and review any connected apps. If the same password is used elsewhere, change it there too.
How does SafeBrowz stop this scam?
SafeBrowz runs a 3-layer engine (Local + APIs + AI) in your browser. It resolves where the link actually lands and flags a page that impersonates Reddit on a non-Reddit domain before the login form loads, cross-checks reputation APIs like Google Safe Browsing and PhishTank, and uses AI content analysis to catch a brand-new clone. It flags the fake page before you type, though it cannot recover a password you already submitted, so pair it with never logging in from a DM link and turning on 2FA.