Mastodawn

⚠️ Scam alert: if anyone ever asks you to "temporarily change" the email address on your Mastodon account, DO NOT DO THIS.

There is currently a scammer posing as a server admin telling people to temporarily change their Mastodon account's email to an address supplied by the scammer. This is a scam, don't do it.

Real admins will NEVER ask you to do this.

You can see examples of this scam in the thread at https://ohai.social/@redsad/115708030185038699

(Thanks @markwyner for the warning about this! 🙏 )

captain acab :antifa: (@[email protected])

Attached: 1 image is this for real? someone said they accidentally reported my account and said to contact this person now they say they want me to change my email address edit: confirmed scammer. do not respond to a text like this

ohai.social

Fedi.Tips Dec 13

p.s. To add a bit of context, the scammer may message you to claim they reported you by accident. They then try to convince you to get in touch with a different account that pretends to be an admin who can "fix" the situation. All of the things they tell you are lies.

The scammer is actually running both accounts and just wants to take over your account by tricking you into changing your email address to their email address. They would then use your account to post other scams.

@FediTips I've seen a similar scam go around on discord. I'd imagine it'd be easy to fall for this sort of thing if you aren't tech inclined or don't know about this stuff. I hope all of these jerks get exactly what's coming to them and like someone else said in this thread, let's not shame people if they do end up falling for scams.

Fedi.Tips Dec 13

Yeah, never a good idea to shame anyone as:
1) They are victims, it's just wrong to shame victims
2) All of us are vulnerable, we should all be keeping our guard up
3) Shaming discourages victims from warning others, so the shaming is just helping the scammers

Gareth 🏴󠁧󠁢󠁷󠁬󠁳󠁿Dec 13

@FediTips @Kaliah
Here’s a good post from @pluralistic himself about how even if this sort of thing is your world, it still only takes a moment of distraction.

So yeah. It can happen to anyone. Blaming the victim doesn’t help, however “obvious” it seems to someone else with distance and hindsight.

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/#swiss-cheese-security

Pluralistic: How I got scammed (05 Feb 2024) – Pluralistic: Daily links from Cory Doctorow

thermonuclear small claims Dec 14

@FediTips @Kaliah
They're doing this as a full-time job and putting their whole attention on it. As @pluralistic says, the scammer only has to be lucky once. You have to be lucky always.

@Kaliah @FediTips "I've accidentally reported you" is one of the standard scams these days. It's going round on Tumblr. It's going round on Archive of Our Own. It's basically going round any service where you MIGHT be able to report people, because "your account is at risk for nebulous reasons" is a strong motivator that fools the unaware.

Billy O'Neal Dec 12

@FediTips @markwyner "Just temporarily set your passcode to 1 1 1 1 to reenact Meet the Spy..."

Мя ��Dec 12

@FediTips
> Real admins will NEVER ask you to do this.

yeah, *real* admins can change your email directly, without asking you :DDD
(usually we don't)

DJ Bambi (Eoin)Dec 12

@FediTips @markwyner Thanks for letting me know!

Phillip Upton Dec 12

@FediTips @markwyner

Can non-admins even see the email?

The reason ask is because I use unique emails for different things… and I expect only the admin could see the email I used for mastodon.

Mark Wyner Won’t Comply

Admins/mods can indeed see account email addresses. And IPs. We use those tools to help keep things safe. I believe this is true for most every system where you have an account.

It’s possible there’s a setting that restricts email addresses to only admins, with no mod access. But I’m not sure about that. I just assume all mods have access. But mods are sort of admins in many ways.

kaffando Dec 12

@FediTips @markwyner

I'd like to think that @Mastodon users are more intelligent than to fall for that.... 😂

Mark Wyner Won’t Comply

Well…you’d be surprised how many people get confused about this kind of thing. It’s easy to assume our knowledge/experience is universal, but it’s not. There are a lot of non-tech-savvy folks on Mastodon.

@FediTips @Mastodon

Kazinator Dec 12

@markwyner @kaffando @FediTips @Mastodon

But, but, ... thanks to this e-mail switch campaign, there are now fewer non-tech-savvy accounts on Mastodon.

kaffando Dec 13

@Kazinator @markwyner @FediTips @Mastodon

You don't have to be tech-savvy. Just having a brain is enough 🤩

Natanox 🇺🇦🇵🇸Dec 13

@kaffando @Kazinator @markwyner @FediTips @Mastodon Don't say that, scams win eventually simply by being so prevalent. Just browse r/Scams for a while and you'll see posts from IT experts who, contritely, describe how they fucked up and got hacked by a scammer.

Even worse is what happens through a compromised account. If someone would manage to get into my account an LLM trained on my public posts might extort money from many friendly people faster than I could reach our two admins.

❄️SnowyIn🇨🇦❄️Dec 13

@kaffando @FediTips @markwyner @Mastodon

I doubt it is a lack of intelligence that is the reason why people fall for scams; some people have a very trusting nature, or are tired/ill or distracted, stressed out and for a moment let their guard down.

I sincerely hope you are never caught off guard like so many intelligent folk.

Re last: If anyone asks you to do that regarding your alovertheplace.ca account, talk to me. I will nuke them and their instance from orbit.

@quanin
> I will nuke them and their instance from orbit

It's the only way to be sure ; )

the bear's den Administration Dec 13

Re last: If anyone asks you to do that regarding your account here on the bear's den, let us know, and we'll take appropriate and swift action.

VulcanTourist Dec 13

@FediTips @markwyner

Something very similar was attempted with me through Steam. That was two or three years ago. I think the perpetrator got what was coming to him, because I reported the incident to all three mediums/platforms he tried to exploit to do it.

thermonuclear small claims Dec 13

@FediTips @markwyner Also, don't feel bad if you fall victim to a scam. There's no shame in it. We're all vulnerable to one type of scam or another, and the biggest protection is accepting that and staying vigilant.

Mark Wyner Won’t Comply

@fullfathomfive

Absolutely. I do see some shaming and disbelief that folks are susceptible. That bothers me. It happens. Thank you for offering this reassurance to people.

@markwyner @fullfathomfive @FediTips I look at the experiences of people like @pluralistic and Troy Hunt as a reminder that any of us can have a bad day and let our guard down. None of us is invincible, and being scammed doesn't mean we're too stupid for Mastodon.
https://pluralistic.net/2025/04/05/troy-hunt/

Pluralistic: How the world’s leading breach expert got phished (05 Apr 2025) – Pluralistic: Daily links from Cory Doctorow

Mark Wyner Won’t Comply

I love reading kind words from kind people more than I can express. Kindness and empathy are salve for the soul.

@fullfathomfive @FediTips @pluralistic

Professor_Stevens Dec 13

@FediTips @markwyner

That is such an obviously bad idea that I wouldn't do it regardless of whether the person asking was a real admin or not.

Frank Heijkamp Dec 13

@FediTips
It is the kind of scam where someone asks you to empty your bank account into theirs in order to keep your money safe. It seems like people still fall for that.
@markwyner

Un Bourguignon Dec 13

@FediTips
👆🏼

Ping @admin .

Une comm en ce sens dans la langue de Molière pourrait être une bonne chose, non ?
@markwyner

Célian Godefroid Dec 13

@un_bourguignon @FediTips @admin @markwyner Bonjour, on fait très régulièrement ce genre de rappels, à chaque fois qu'on voit une vague sur Piaille.

@FediTips @markwyner i guess that at least means the fediverse is now big enough to attract the scammers?

@FediTips @markwyner
Not just for Mastodon, any service that uses email for resetting your password will have people trying this scam.

Don't fall for it anywhere.

And yes, a real admin will be able to change your email and password, etc on their own, so any time someone claiming to be an admin asks you to do that, it's a red flag.