โ ๏ธ Scam alert: if anyone ever asks you to "temporarily change" the email address on your Mastodon account, DO NOT DO THIS.
There is currently a scammer posing as a server admin telling people to temporarily change their Mastodon account's email to an address supplied by the scammer. This is a scam, don't do it.
Real admins will NEVER ask you to do this.
You can see examples of this scam in the thread at ohai.social/@redsad/1157080301โฆ
(Thanks @markwyner for the warning about this! ๐ )
captain acab :antifa: (@redsad@ohai.social)
Attached: 1 image is this for real? someone said they accidentally reported my account and said to contact this person now they say they want me to change my email address edit: confirmed scammer. do not respond to a text like thisohai.social
Questa voce รจ stata modificata (1 giorno fa)
Poliverso - notizie dal Fediverso โ likes this.
reshared this
Billy O'Neal
in reply to Fedi.Tips ๐ • • •ะั ๏ฟฝ๏ฟฝ
in reply to Fedi.Tips ๐ • • •> Real admins will NEVER ask you to do this.
yeah, *real* admins can change your email directly, without asking you :DDD
(usually we don't)
@markwyner
โ
in reply to ะั ๏ฟฝ๏ฟฝ • • •Hi Mark, so is that true, that real admins and mods can already make a change like that on their own?
@mo @FediTips
Mark Wyner Wonโt Comply
in reply to โ • • •@fembot
Wellโฆsort of. For example, Iโm a moderator, but not an admin. I can see the email address of an account on our server, but I canโt edit it. However, a moderator who is also an admin could.
We also canโt see emails for accounts on other servers, even as an admin.
@mo @FediTips
Natasha Nox ๐บ๐ฆ๐ต๐ธ
in reply to Mark Wyner Wonโt Comply • • •Offtopic:
That's something people should be more aware in general. Any service that isn't (properly!) End-to-End Encrypted or can't be, like Social Media or Cloud services (if you want all the fancy Office, Gallery etc. features to work), can't prevent server admins from doing whatnot with any user account.
I'm admin of my families' cloud server. If I wanted to I could disable 2FA, change email, password and keys of any user account and take full control.
โ
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •Thank you both, that's helpful to know.
Mark Wyner Wonโt Comply
in reply to Natasha Nox ๐บ๐ฆ๐ต๐ธ • • •@Natanox
Yep. If youโre not self hosting ANYTHING you arenโt engaged in a contract of trust.
@fembot @mo @FediTips
Noortje Van Leeuwen
in reply to Fedi.Tips ๐ • • •cleverle
in reply to Fedi.Tips ๐ • • •DJ Bambi (Eoin)
in reply to Fedi.Tips ๐ • • •Mike. ๐ฉผ๐จ๐ฆ
in reply to Fedi.Tips ๐ • • •Mark Wyner Wonโt Comply
in reply to Mike. ๐ฉผ๐จ๐ฆ • • •@MikeImBack
Spam is complicated. Once a person with nefarious intentions has access to a single account from someone, they can use info from that to take myriad other actions.
For example, they can use it to gain access to other accounts that person owns. They can also use the hacked account to impersonate the person, phishing with people the victim knows.
@FediTips
James
in reply to Mark Wyner Wonโt Comply • • •Mike. ๐ฉผ๐จ๐ฆ
in reply to Mark Wyner Wonโt Comply • • •Phillip Upton
in reply to Fedi.Tips ๐ • • •Can non-admins even see the email?
The reason ask is because I use unique emails for different thingsโฆ and I expect only the admin could see the email I used for mastodon.
Mark Wyner Wonโt Comply
in reply to Phillip Upton • • •Admins/mods can indeed see account email addresses. And IPs. We use those tools to help keep things safe. I believe this is true for most every system where you have an account.
Itโs possible thereโs a setting that restricts email addresses to only admins, with no mod access. But Iโm not sure about that. I just assume all mods have access. But mods are sort of admins in many ways.
@FediTips
kaffando
in reply to Fedi.Tips ๐ • • •Mark Wyner Wonโt Comply
in reply to kaffando • • •@kaffando
Wellโฆyouโd be surprised how many people get confused about this kind of thing. Itโs easy to assume our knowledge/experience is universal, but itโs not. There are a lot of non-tech-savvy folks on Mastodon.
@FediTips @Mastodon
Kazinator
in reply to Mark Wyner Wonโt Comply • • •@kaffando @Mastodon
But, but, ... thanks to this e-mail switch campaign, there are now fewer non-tech-savvy accounts on Mastodon.
kaffando
in reply to Kazinator • • •@Kazinator @Mastodon
You don't have to be tech-savvy. Just having a brain is enough ๐คฉ
Natasha Nox ๐บ๐ฆ๐ต๐ธ
in reply to kaffando • • •@kaffando @Kazinator @Mastodon Don't say that, scams win eventually simply by being so prevalent. Just browse r/Scams for a while and you'll see posts from IT experts who, contritely, describe how they fucked up and got hacked by a scammer.
Even worse is what happens through a compromised account. If someone would manage to get into my account an LLM trained on my public posts might extort money from many friendly people faster than I could reach our two admins.
โ๏ธSnowyIn๐จ๐ฆโ๏ธ
in reply to kaffando • • •@kaffando @Mastodon
I doubt it is a lack of intelligence that is the reason why people fall for scams; some people have a very trusting nature, or are tired/ill or distracted, stressed out and for a moment let their guard down.
I sincerely hope you are never caught off guard like so many intelligent folk.
James H
in reply to Fedi.Tips ๐ • • •VulcanTourist
in reply to Fedi.Tips ๐ • • •thermonuclear small claims
in reply to Fedi.Tips ๐ • • •Natasha Nox ๐บ๐ฆ๐ต๐ธ reshared this.
Mark Wyner Wonโt Comply
in reply to thermonuclear small claims • • •@fullfathomfive
Absolutely. I do see some shaming and disbelief that folks are susceptible. That bothers me. It happens. Thank you for offering this reassurance to people.
@FediTips
Claudine C
in reply to Mark Wyner Wonโt Comply • • •pluralistic.net/2025/04/05/troโฆ
Pluralistic: How the worldโs leading breach expert got phished (05 Apr 2025) โ Pluralistic: Daily links from Cory Doctorow
pluralistic.netreshared this
Mark Wyner Won’t Comply, Cory Doctorow, Arjunji e FKA ZOG reshared this.
Mark Wyner Wonโt Comply
in reply to Claudine C • • •@claudinec
I love reading kind words from kind people more than I can express. Kindness and empathy are salve for the soul.
@fullfathomfive @FediTips @pluralistic
Fedi.Tips ๐
in reply to Fedi.Tips ๐ • • •p.s. To add a bit of context, the scammer may message you to claim they reported you by accident. They then try to convince you to get in touch with a different account that pretends to be an admin who can "fix" the situation. All of the things they tell you are lies.
The scammer is actually running both accounts and just wants to take over your account by tricking you into changing your email address to their email address. They would then use your account to post other scams.
reshared this
RFanciola, Aral Balkan e Jones reshared this.
Kaliah
in reply to Fedi.Tips ๐ • • •Fedi.Tips ๐
in reply to Kaliah • • •1) They are victims, it's just wrong to shame victims
2) All of us are vulnerable, we should all be keeping our guard up
3) Shaming discourages victims from warning others, so the shaming is just helping the scammers
Gareth ๐ด๓ ง๓ ข๓ ท๓ ฌ๓ ณ๓ ฟ
in reply to Fedi.Tips ๐ • • •@Kaliah
Hereโs a good post from @pluralistic himself about how even if this sort of thing is your world, it still only takes a moment of distraction.
So yeah. It can happen to anyone. Blaming the victim doesnโt help, however โobviousโ it seems to someone else with distance and hindsight.
pluralistic.net/2024/02/05/cybโฆ
Pluralistic: How I got scammed (05 Feb 2024) โ Pluralistic: Daily links from Cory Doctorow
pluralistic.netProfessor_Stevens
in reply to Fedi.Tips ๐ • • •Frank Heijkamp
in reply to Fedi.Tips ๐ • • •@markwyner
Un Bourguignon
in reply to Fedi.Tips ๐ • • •๐๐ผ
Ping @admin .
Une comm en ce sens dans la langue de Moliรจre pourrait รชtre une bonne chose, non ?
@markwyner