The beauty of Mastodon is its decentralized nature. It’s a network built on trust, community, and people’s desire to connect without the constant noise and exploitation of big social media platforms. But unfortunately, where there’s an online community, there will always be someone looking to exploit it. Over the past few months, I’ve seen a troubling rise in scam attempts on Mastodon—specifically, accounts pretending to be “Mastodon staff” or “verification teams,” tagging users publicly and telling them to click a link to “verify” their account. Let me be blunt: this is a scam. Every time.
These scammers have a very simple playbook. They’ll create an account that looks vaguely official—often with a username that includes “support,” “help,” or “mastodon.” Then they make a post tagging unsuspecting users, claiming something along the lines of “You need to verify your account to avoid suspension” or “Click this link to keep your account active.” The tone is designed to create panic and urgency. But if you stop for even one second, the scam falls apart. Mastodon will never, and I mean never, tag you in a random public post to tell you to click a sketchy link.
Here’s the thing about real account issues: they are private matters. If something is wrong with your Mastodon account—maybe there’s a problem with your login, or your instance is having a technical hiccup—you will be contacted through legitimate channels. That usually means email, sent directly to the address associated with your account. Sometimes, depending on the instance you’re on, an official support account may reach out to you directly via private message. But what they will not do is blast your handle in a public post, telling you to click on some random site you’ve never heard of. That would be both unprofessional and insecure, the exact opposite of how Mastodon and its admins operate.
Another important point: verification on Mastodon doesn’t even work like it does on corporate social media platforms. There’s no “blue check” you pay for or some kind of centralized authority deciding who’s real. Instead, Mastodon’s verification is domain-based. If you want that green verified link on your profile, all you need to do is host a website or page where you can insert a snippet of HTML linking back to your Mastodon account. That’s it. It’s user-controlled, transparent, and not subject to arbitrary gatekeeping. Which means if someone is telling you that Mastodon “staff” needs to personally verify you through a link, they’re lying outright.
Scammers thrive on confusion and fear. They know that many people are still new to Mastodon, unsure of how things work compared to Twitter or Facebook. They weaponize that uncertainty. They throw around words like “suspension,” “policy violation,” or “account termination,” because they know users will panic and click before they think. And once you click, you’re opening yourself up to phishing attempts, malware, or worse. That shady link isn’t leading you to a legitimate Mastodon portal—it’s leading you straight into their trap.
This is why I feel the need to speak up. It’s not enough for individuals to quietly ignore these scams; we need to actively warn others. If you see one of these scam posts, don’t just scroll past it. Report the account. Block them. Boost posts from others calling out the scam. Talk about it. The more awareness we raise, the less likely someone else will fall into the trap.
It also helps to remember that Mastodon isn’t a monolithic company. Each server, or instance, is independently run. That means “official communication” will always depend on your instance administrator, not some vague all-encompassing Mastodon authority. If you’re ever genuinely worried about your account, the best thing you can do is contact your instance admin directly. They are the ones responsible for your account, not some random person tagging you in a public post.
The scams I’ve been seeing lately have become almost laughably obvious, but that doesn’t mean they’re harmless. All it takes is one person in a moment of panic to click the wrong link, and their account—or even their device—could be compromised. And unlike big tech platforms with giant security teams, Mastodon is powered by communities of volunteers and enthusiasts. The best defense we have is collective vigilance.
Let me repeat this one more time for anyone who needs to hear it: Mastodon will never ask you to verify your account through a public post. They will never tag you randomly to click on a suspicious link. If there is a problem, you’ll hear from your instance admin privately, or you’ll get an email. And verification itself is not something handled by staff—it’s something you do yourself, if you want, through your own website.
So the next time you see one of these fake “Mastodon staff” accounts tagging people, don’t get scared. Recognize it for what it is: a lazy scam. Don’t click, don’t engage, just block, report, and move on. And if you feel so inclined, let your followers know what’s going on so they’re better prepared too. Because the only way these scammers succeed is if they catch us off guard. Let’s make sure they don’t.
Mastodon deserves better than to be polluted by the same shady tactics we left behind on corporate social media. Part of what makes this space so refreshing is the sense of community and mutual responsibility. So let’s keep that spirit alive. Look out for each other. Share knowledge. And when the scammers come knocking, slam the door in their faces.