Everyone's probably gotten a message like this at some point:
If your instinct is to ignore it because it's going to be a scam, you're right! Don't message the guy. Easy enough. Scam avoided.
However, that's not enough proof that it's a scam. I decided that, knowing exactly what I would need to give up in order to get hacked, I would go through the process in order to learn more about this scam.
I added the guy on Discord, and he sent me an invite to this "1.9+ PvP Community". It's a scam server, where the only point is to have you go through this "verification bot", which is designed to scam you.
Before showing the scam verification, let's talk about what a legitimate verification process looks like. A legitimate service, like InvadedLands, wants to tie your Discord account to a Minecraft account controlled by the same person. All they need in order to do that is your Minecraft username and for you to do something in Minecraft on their server to prove your control. In Invaded's case, that's /register, or something like that. They do not need your email address.
Instead of that, the "verification bot" on the scam server will ask you for your Minecraft username and the email address tied to it:
This is unnecessary for a legitimate Minecraft account verification process. However, you can't get hacked JUST by giving them your email, so I entered it. What they do is they will try to log into the Microsoft account tied to that email (they don't care about your username). This will send a one-time passcode to your email or a request to your Microsoft Authenticator, both of which you control.
Do not, I repeat, DO NOT, click on the requested number in Microsoft Authenticator or send them the one-time passcode sent to your email. This will let them hack your account. Simply ignore the request and let it time out.
In my case, they messed it up. I got a one-time passcode in my email, but the bot asked me to click "48" in Authenticator. (In other words, they mixed up the scamming methods they were trying to use). No Authenticator request was sent to my phone. Obviously, I didn't give them the one-time passcode because that would've allowed them to hack my account.
If you ever get an Authenticator request you didn't expect, especially if the location it says doesn't describe your computer, do not click it, let it die.
Legitimate services that seek to verify the existence of your email address (which nothing like this should need to do) will send you their own email, not something from Microsoft.
After I didn't fall for the scam, the scammer kicked me from the server, deleted the invite from our DMs (so I couldn't report it), and blocked me. I reported the guy nonetheless for "Scamming or Defrauding" to Discord. Discord most likely does have logs of deleted messages.
It's not clear what exactly Invaded can do about this. IRL scamming is allowed, and this could be considered a form of that. However, it could qualify for an "Illegal Affairs" blacklist depending on how exactly they justify that, or they could use the undefined word "hacking" in the rules in its plain-English sense of actual cyber-attacking. However, if you can prove that they're attempting a scam (just the dialog prompting for an email proves that it's a scam, no need to enter anything), you should send that information in to a staff member.
If your instinct is to ignore it because it's going to be a scam, you're right! Don't message the guy. Easy enough. Scam avoided.
However, that's not enough proof that it's a scam. I decided that, knowing exactly what I would need to give up in order to get hacked, I would go through the process in order to learn more about this scam.
I added the guy on Discord, and he sent me an invite to this "1.9+ PvP Community". It's a scam server, where the only point is to have you go through this "verification bot", which is designed to scam you.
Before showing the scam verification, let's talk about what a legitimate verification process looks like. A legitimate service, like InvadedLands, wants to tie your Discord account to a Minecraft account controlled by the same person. All they need in order to do that is your Minecraft username and for you to do something in Minecraft on their server to prove your control. In Invaded's case, that's /register, or something like that. They do not need your email address.
Instead of that, the "verification bot" on the scam server will ask you for your Minecraft username and the email address tied to it:
This is unnecessary for a legitimate Minecraft account verification process. However, you can't get hacked JUST by giving them your email, so I entered it. What they do is they will try to log into the Microsoft account tied to that email (they don't care about your username). This will send a one-time passcode to your email or a request to your Microsoft Authenticator, both of which you control.
Do not, I repeat, DO NOT, click on the requested number in Microsoft Authenticator or send them the one-time passcode sent to your email. This will let them hack your account. Simply ignore the request and let it time out.
In my case, they messed it up. I got a one-time passcode in my email, but the bot asked me to click "48" in Authenticator. (In other words, they mixed up the scamming methods they were trying to use). No Authenticator request was sent to my phone. Obviously, I didn't give them the one-time passcode because that would've allowed them to hack my account.
If you ever get an Authenticator request you didn't expect, especially if the location it says doesn't describe your computer, do not click it, let it die.
Legitimate services that seek to verify the existence of your email address (which nothing like this should need to do) will send you their own email, not something from Microsoft.
After I didn't fall for the scam, the scammer kicked me from the server, deleted the invite from our DMs (so I couldn't report it), and blocked me. I reported the guy nonetheless for "Scamming or Defrauding" to Discord. Discord most likely does have logs of deleted messages.
It's not clear what exactly Invaded can do about this. IRL scamming is allowed, and this could be considered a form of that. However, it could qualify for an "Illegal Affairs" blacklist depending on how exactly they justify that, or they could use the undefined word "hacking" in the rules in its plain-English sense of actual cyber-attacking. However, if you can prove that they're attempting a scam (just the dialog prompting for an email proves that it's a scam, no need to enter anything), you should send that information in to a staff member.
