Fake Gaming Tournaments Are Scamming Teens: How Discord Prize Phishing Actually Works

A 15-year-old in suburban Atlanta received a DM on Discord last year: a “Valorant Invitational” with a $500 prize pool, sign-up deadline in 48 hours, and a link to what looked like a professional tournament bracket platform. He registered with his Riot Games login, filled in his Discord username, and eagerly waited for match scheduling. Three hours later, his Valorant account had been locked, his Discord was compromised, and both had been added to a list of credentials actively sold in a criminal marketplace. He’d never played a single match. The “tournament” existed only as infrastructure for harvesting gaming credentials at scale, and it harvested them from at least 340 other teenagers before the domains were reported and taken down. The FBI’s Internet Crime Complaint Center documents hundreds of similar schemes annually, though gaming-specific cases are often underreported because teenagers are reluctant to tell parents about financial or account losses tied to gaming.

Key Takeaways

• Fake tournament scams operate in three stages: discovery (Discord DMs, TikTok ads, YouTube comments), registration (credential-harvesting sign-up forms), and prize claim (secondary phishing for payment or additional account access).
• Sign-up forms requesting gaming platform credentials — Epic, Riot, Steam, PSN — are almost always phishing. Legitimate tournaments use third-party bracket services that do not require your game login.
• Prize amounts are calibrated to be believable: $50–$500 cash prizes feel realistic enough to motivate action but large enough to override skepticism.
• Discord’s bot ecosystem enables scammers to DM thousands of server members simultaneously with minimal account age or reputation.
• The FTC and IC3 both track “prize and lottery” fraud as a top-five fraud category; for teens, gaming tournaments represent the primary delivery mechanism within that category.

The Three-Stage Anatomy of a Fake Gaming Tournament

Understanding the structure makes every individual attack recognizable, regardless of which game or platform it targets.

Stage 1: Discovery and Distribution

Fake tournament announcements reach teens through several channels simultaneously:

Discord DMs from bot accounts: This is the highest-volume distribution method. Attackers join popular gaming Discord servers — Fortnite, Rocket League, Minecraft, Valorant servers with tens of thousands of members — and run scripts that DM server members directly. Discord has automated systems to detect and ban bot behavior, but attackers rotate accounts to stay ahead of detection. The messages are designed to look like peer invitations, not advertisements.

YouTube comment sections: Comments on popular gaming YouTubers’ videos announcing “sponsored tournaments” with links. These appear as organic community activity but are posted by bot accounts. They generate credibility from the YouTuber’s audience without the YouTuber’s knowledge or endorsement.

TikTok gaming content: Short videos showing “tournament highlights” with a link in bio. The production quality has improved significantly — AI-generated voiceover and stock esports footage make these indistinguishable from legitimate content at a glance.

Reddit and gaming forums: Posts in gaming subreddits appearing to come from community members announcing local or online tournaments. New accounts posting in established communities with suspiciously polished announcements.

Stage 2: Credential Harvesting via Fake Sign-Up

The sign-up form is the core of the operation. Fake tournament registration pages request:

• Full name (used for social engineering and possible identity fraud)
• Email address (used for follow-up phishing and spam)
• Discord username and tag (enables account targeting)
• Gaming platform credentials — Riot ID / password, Epic email / password, Steam login / password

This last item is the tell. No legitimate esports tournament — at any level from amateur to professional — ever requests your gaming platform password. Legitimate bracket platforms (Battlefy, Challonge, Smash.gg / start.gg) connect to gaming accounts via OAuth, which grants limited read-only permissions without exposing credentials.

The fake pages are often sophisticated. They may include:

• Real-looking prize pool breakdowns with “sponsors” using logos of real companies
• Fake player count badges (“847 registered players”)
• A countdown timer creating artificial urgency
• Previous “tournament results” showing fabricated winners with real-looking Gamertags

Stage 3: Prize-Claim Secondary Phishing

After sign-up, some fake tournaments don’t immediately use the captured credentials. Instead, they run the next attack: the prize-claim email.

Participants who registered receive an email days later claiming they’ve been “selected for the next round” or “won a bonus prize.” This email contains a link to a payment collection page requesting:

• Bank account or PayPal credentials to “receive the prize transfer”
• A small “registration fee” or “processing fee” (advance-fee fraud)
• Identity verification documents including photo ID

This stage targets any participants whose gaming credentials didn’t yield valuable accounts. Even if a teen used a throwaway password, their email is now harvested and usable for financial fraud targeting.

Stage	Attack Mechanism	What’s Being Stolen	Red Flag
Stage 1: Discovery	Discord DMs, TikTok, YouTube comments	Attention and click	Unsolicited contact from unknown accounts; extreme prize amounts
Stage 2: Registration	Fake sign-up form	Gaming credentials, email, username	Form requests your password for any gaming platform
Stage 3: Prize Claim	Secondary phishing email	Banking credentials, fees, ID documents	Prize requires payment, fee, or financial account access

Why Teens Are Specifically Targeted

Competitive gaming creates unique psychological vulnerabilities that scammers exploit with precision.

Achievement motivation: Teens who invest significant time in games like Valorant, Fortnite, or Rocket League have a natural desire to have that skill recognized competitively. A tournament invitation taps into that desire directly.

Social proof in community spaces: When a message arrives in a Discord server the teen trusts and participates in regularly, the environment provides false credibility. The message feels like it comes from the community, not from an outside attacker.

Low base rate awareness for gaming scams: Adults have absorbed decades of warnings about email phishing and phone scams. Teen gamers may have received no specific education about gaming-specific fraud vectors. Common Sense Media’s 2023 Digital Citizenship report found that fewer than 20% of middle schoolers had received explicit instruction on gaming-platform-specific fraud.

Believable prize amounts: A $1,000,000 prize is obviously fake. A $250 “local invitational prize” with PayPal payout feels like exactly the kind of thing an enthusiastic community organizer might put together.

Real Esports Infrastructure vs. Fake: A Field Guide

The most reliable protection is knowing what legitimate tournaments actually look like.

Legitimate tournament sign-ups:

• Use established bracket platforms: Battlefy, start.gg, Challonge, or the game publisher’s own ladder system (ESL Play, Riot’s own Valorant Champions Tour infrastructure)
• Connect to gaming accounts via OAuth (you authorize without entering a password)
• List organizer contact information, including social media presence with verifiable history
• Have bracket pages that are publicly viewable without an account
• Never request payment before a prize is awarded

Fake tournament sign-ups:

• Hosted on new domains (check registration date at whois.domaintools.com — anything under 30 days old is high-risk)
• Request gaming platform passwords directly in a form field
• Use generic website builders (Wix, Weebly, Google Forms) for the sign-up rather than dedicated esports platforms
• Feature organizer social media accounts with minimal history and follower counts that don’t match claimed event size
• Have no verifiable connection to the game publisher or known community organizers

The Credential Resale Market: What Happens After

Understanding where stolen credentials go makes the stakes concrete for teens.

Gaming accounts with valuable content — ranked ratings, rare skins, large friend networks — are sold on grey-market forums and marketplaces including Playerauctions, Eldorado.gg, and specialized Discord servers. A Valorant account with a high Radiant rank sells for $50–$500 depending on the cosmetics and history. A Fortnite account with a full locker including limited-time skins can command $200+.

Email credentials are sold in bulk for spam campaigns or tested against financial services for account takeover. Discord credentials are particularly valuable because a compromised Discord account with existing server memberships and friends can be used to further spread scam DMs, using the victim’s own trusted relationships as distribution infrastructure.

This explains why the scam is economically self-sustaining: each successful credential harvest funds the next campaign and generates distribution assets.

What to Teach Your Teen: Verification Habits Before Signing Up

Step 1: Look up the domain registration date. Go to lookup.icann.org and enter the tournament website domain. If it was registered in the past 60 days, treat it with extreme skepticism.

Step 2: Find the organizer’s established online presence. A legitimate tournament organizer has a Twitter/X account with posting history predating the current event, YouTube content showing past tournaments, and a presence in established gaming communities. A 30-day-old Twitter account with 12 followers is a red flag regardless of how professional the website looks.

Step 3: Check the sign-up mechanism. If registering requires entering a password for any gaming platform, stop. Use the OAuth alternative if one is offered, or don’t participate. No prize is worth a compromised account.

Step 4: Verify through the game’s official channels. For games with large competitive scenes — Valorant, Fortnite, Rocket League — the publishers maintain official lists of sanctioned community tournaments. If the “tournament” doesn’t appear there, it isn’t officially recognized.

Step 5: Tell a parent before entering any sign-up form that requests your gaming credentials. This one conversation checkpoint catches the attack before any credentials are exposed.

For related guidance on how fake credential-collection works across gaming platforms, see our detailed breakdown of how Fortnite account theft works.

What to Watch For Over 3 Months

Month 1: Have a specific conversation with your teen about the credential-request red flag. Show them what OAuth looks like (a redirect to the game company’s own login page with an authorization prompt) versus what a phishing form looks like (a password field on an unfamiliar site). Practice identifying the difference.

Month 2: Ask your teen to show you any tournament or competition invitations they receive through Discord, TikTok, or YouTube. Do this collaboratively, not as surveillance — the goal is to practice the verification steps together until they become automatic.

Month 3: Check whether your teen’s primary gaming account emails are listed at haveibeenpwned.com. If an email appears in a breach, change the password immediately and enable two-factor authentication on all accounts sharing that email.

Frequently Asked Questions

How can I tell if a Fortnite or Valorant tournament is real?

Check whether the tournament is listed on the game’s official competitive portal. For Valorant, Riot maintains a community tournaments hub. For Fortnite, Epic Games lists sanctioned community events on their competitive page. Any tournament not appearing in official channels is unverified.

My teen already signed up for what looks like a fake tournament. What now?

Immediately change the password on every gaming platform account where the same credentials were used. Enable two-factor authentication on all accounts. Check the linked email account and change that password too. Monitor for any unauthorized login notifications over the following 48 hours.

Do scammers actually go after kids for financial information?

Yes. The prize-claim stage of fake tournament scams sometimes includes requests for bank account, PayPal, or Venmo information to “deliver the prize.” The FTC’s Consumer Sentinel data consistently shows teens and young adults in the 15–24 age range are disproportionately victimized by prize and lottery fraud precisely because the gaming-tournament format is persuasive to this demographic.

Are there real amateur gaming tournaments worth competing in?

Absolutely. Battlefy, start.gg, and Challonge host thousands of legitimate amateur tournaments with real prize pools. Many game publishers also run official community events. The distinguishing features are established platform infrastructure, no password requests, and verifiable organizer history.

Can Discord block these scam DMs automatically?

Discord has anti-spam and anti-phishing systems including link filtering, but motivated attackers rotate accounts and domains faster than automated systems can catch them. The user-level protection is setting DMs to “friends only” in Discord privacy settings, which blocks unsolicited DMs from non-friends regardless of shared server membership.

---

About the author

Ricky Flores is the founder of HiWave Makers and an electrical engineer with 15+ years of experience building consumer technology at Apple, Samsung, and Texas Instruments. He writes about how kids learn to build, think, and create in a tech-saturated world. Read more at hiwavemakers.com.

Sources

1. Federal Bureau of Investigation, Internet Crime Complaint Center. (2024). 2023 Internet Crime Report. IC3. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
2. Federal Trade Commission. (2024). Consumer Sentinel Network Data Book 2023. FTC. https://www.ftc.gov/reports/consumer-sentinel-network
3. Common Sense Media. (2023). The Common Sense Census: Media Use by Tweens and Teens 2023. Common Sense Media. https://www.commonsensemedia.org/research/the-common-sense-census-media-use-by-tweens-and-teens-2023
4. Verizon. (2024). 2024 Data Breach Investigations Report. Verizon Business. https://www.verizon.com/business/resources/reports/dbir/
5. Proofpoint. (2024). 2024 State of the Phish Report. Proofpoint Research. https://www.proofpoint.com/us/resources/threat-reports/state-of-phish
6. Cybersecurity and Infrastructure Security Agency. (2023). Protecting Against Phishing. CISA. https://www.cisa.gov/topics/cyber-threats-and-advisories/phishing