Community Manager Handbook

We know not everyone is comfortable with automatic classification — and that’s okay. That’s why we’d like to share high-level best practices that anyone can apply, regardless of the tools they use. By making this knowledge freely available, we ensure that community managers of all budgets can benefit from our industry experience. If you feel we’re missing something, or something isn’t as clear as it should be, get in touch — we’d love to hear from you.

Why This Handbook Exists

Social media comments are a battleground. Spammers, scammers, and hate groups use increasingly sophisticated tactics to exploit your community. They disguise links, hide behind coded symbols, and use psychological pressure to manipulate your audience.

This handbook distills years of pattern analysis from Hush — our spam detection engine — into a practical reference guide. Every pattern described here comes from real-world detection data across thousands of social media accounts.

Who This Is For

You are a community manager, social media manager, or moderator responsible for keeping comment sections safe. You may work alone or as part of a team. You need to:

• Recognize spam and scam comments quickly
• Understand the tactics behind them
• Respond with the right action at the right time
• Educate your team on emerging patterns

How To Use This Guide

Each chapter covers a specific category of harmful content:

• Scam Patterns — The most common fraud tactics in social media comments
• Sexual Content & Solicitation — How explicit spam disguises itself
• Coded Hate Speech — Hidden extremist symbols that look harmless to the untrained eye
• Evasion Tactics — Technical tricks spammers use to bypass filters
• Action Guide — A step-by-step response playbook

Every chapter ends with a quick-reference checklist you can use during your daily moderation work.

A Living Document

Spam tactics evolve constantly. This handbook is updated regularly as new patterns emerge. The “Last Updated” date on each chapter tells you when it was last revised.

Quick-Reference Checklist

• Bookmark this page for quick access during moderation shifts
• Read through each chapter at least once to familiarize yourself with patterns
• Share with your moderation team
• Check back regularly for updates on new tactics

Overview

Scam comments are the most common type of harmful content on social media. They follow predictable templates and rely on urgency, greed, or trust to trick your audience. Once you learn to recognize the patterns, they become easy to spot.

Telegram & Messenger Redirects

Scammers try to move conversations off-platform where there is no moderation. Telegram is by far the most common destination.

What to look for:

• Direct links like t.me/username
• Phrases like “DM me on Telegram” or “join my TG channel”
• WhatsApp or Signal numbers posted in comments

These patterns appear across many languages. The core tactic is always the same: get people off-platform.

Why it matters: Once a user moves to Telegram, scammers can send phishing links, request payments, or run investment fraud without any platform oversight.

Crypto & Investment Fraud

These scams promise unrealistic financial returns. They are often connected to Telegram redirects.

Wallet addresses in comments are almost always spam. These are long strings of letters and numbers that represent cryptocurrency wallets (Bitcoin, Ethereum, Tron, etc.). If you see an unfamiliar alphanumeric string in a comment, it’s likely a wallet address.

Common tactics include:

• Doubling schemes: “Send 1 ETH and receive 5 ETH back”
• Fake testimonials: “I invested $100 and made $10,000”
• Guaranteed returns with specific percentages or dollar amounts
• References to fake advisors, mentors, or trading platforms

The language often revolves around guaranteed profits, specific crypto coins, and urgency.

Fake Giveaways

These imitate legitimate promotions but are designed to steal personal information or payment details.

Classic templates:

• “Congratulations! You’ve been selected as a winner!”
• “You won $X” — with a specific dollar amount and a link to “claim” it

Pressure tactics are a hallmark — they create urgency (“act now!”, “limited time!”) to prevent you from thinking critically.

Red flags that distinguish fake from real giveaways:

• The comment appears on an unrelated post
• It asks you to click a link or visit an external site
• It creates urgency (“expires in 24 hours”)
• The account has no history or relationship with the brand

Follower & Engagement Scams

These target creators and businesses who want to grow their audience.

They typically promise instant followers, likes, or views — or run “follow for follow” schemes. Be suspicious of any unfamiliar domain promising social media growth, especially those referencing “SMM panels.”

Why it’s harmful: Fake followers damage engagement rates, violate platform terms of service, and can lead to account suspension.

Impersonation

Scammers pretend to be the account owner, an official representative, or a verified authority.

They might claim to be the channel owner, official support, or a verified seller. A common variant is fake customer support: “Contact our support at [link].”

How to spot it: Compare the commenter’s username with the actual account owner. Impersonators often use similar-looking names with small differences (extra underscore, swapped letters, added numbers).

Common Scam Phrases Across Categories

Some phrases appear across multiple scam types. Classics include “This changed my life”, “Not a scam” (ironically, almost always a scam), and “DM me for collab/business.” If a comment sounds too enthusiastic about money or life-changing results, it probably is spam.

Quick-Reference Checklist

• Any Telegram/WhatsApp/Signal link in a comment is suspicious
• Wallet addresses (long alphanumeric strings) are almost always spam
• “Guaranteed returns” or specific dollar amounts signal investment fraud
• “Congratulations, you won!” on unrelated posts is always fake
• Check if the commenter’s username matches who they claim to be
• “Follow for follow” and follower-selling services violate platform rules
• Comments creating urgency (“act now”, “limited time”) deserve extra scrutiny

Overview

Sexual spam is one of the most persistent problems in social media moderation. It ranges from obvious explicit content to subtle solicitation tactics designed to redirect users to adult platforms. Understanding the full spectrum helps you catch what automated filters might miss.

Explicit Content & Platform Redirects

The most direct form of sexual spam promotes adult content platforms.

Platform name variations — spammers deliberately misspell platform names to evade filters. For example, “OnlyFans” might appear as 0nlyfans, 0nlyf4ns, or onlyf@ns. Look for any recognizable adult platform name with creative spelling.

Explicit markers include terms like “18+”, “nudes” (often leet-spelled as nud3s), and references to “hot” or “adult” content.

Profile redirect patterns are subtler and often pair with the above — phrases like “check my profile”, “link in my bio”, or “exclusive content” that try to funnel users to an external page.

Watch for combinations: A comment saying “link in bio” alone is ambiguous. But “hot exclusive content — link in bio” is clearly sexual spam. The more signals you see together, the more confident you can be.

Solicitation Tactics

These are more subtle than explicit spam. They use social engineering to start conversations that lead to adult content or services.

Late-night engagement bait — comments like “Who’s still awake?” or “Anyone up right now?” that fish for responses. These appear across languages.

Loneliness and companionship bait — expressions of boredom or loneliness designed to start a conversation that leads to adult content. Examples: “So lonely right now”, “Keep me company.”

Partner solicitation — direct requests like “Looking for fun tonight” or “Looking for a guy/girl.” These appear in English, German, Spanish, and other languages.

Body part euphemisms — coded references to body parts, including single-letter abbreviations and suggestive emoji like the eggplant.

Engagement bait with suggestive framing — “Like if you’re awake” or similar calls to action that fish for engagement in a suggestive context.

Direct contact requests — “HMU” (hit me up), “DM me”, and equivalents in other languages.

Voyeur Solicitation

A particularly harmful subcategory involves requests to share intimate images of others — often family members or acquaintances. These comments typically ask “who shows” or “who has” followed by a reference to a female relative or acquaintance. This pattern is especially prevalent in German-speaking communities.

This is not only spam but potentially illegal content. Escalate immediately if you see this pattern.

Suggestive Emoji Patterns

Some emoji are used as coded sexual language:

• Eggplant + peach combination in suggestive context
• Clusters of suggestive emoji with minimal text

Note: Emoji-only comments (without sexual context) are generally harmless — people use emoji to express reactions. The concern is when suggestive emoji appear alongside solicitation language.

Quick-Reference Checklist

• Misspelled platform names (0nlyfans, onlyf@ns) are deliberate filter evasion
• “Link in bio” + any sexual language = sexual spam
• Late-night engagement bait (“who’s awake?”) is a solicitation opener
• Loneliness or companionship bait often leads to adult content promotion
• Voyeur solicitation involving family members should be escalated immediately
• Check for suggestive emoji + text combos, not emoji alone
• Profile redirect phrases are only concerning when paired with sexual content

Overview

Hate groups deliberately use coded language to communicate in plain sight. What looks like a random number or an innocent emoji to most people carries a specific hateful meaning to those “in the know.” As a community manager, recognizing these codes is essential for keeping your space safe.

This chapter draws on research into extremist communication patterns, including the work of organizations monitoring online hate speech.

Numeric Hate Codes

1488

This is the most well-known white supremacist numeric code.

• 14 refers to the “14 Words,” a white supremacist slogan
• 88 stands for “HH” (H is the 8th letter of the alphabet) — a coded “Heil Hitler”

How it appears:

• 1488 as a single number
• 14/88, 14-88, or 14 88 with separators
• Sometimes embedded in usernames or bios

88

When “88” appears on its own — especially as an entire comment — it is often a coded greeting among extremists.

Context matters: The number 88 can be innocent (birth year, jersey number). But watch for:

• “88” as the entire comment with no other context
• “88” combined with extremist emoji (see below)
• “88” in a username alongside other suspicious signals

Emoji Hate Codes

Extremist groups have co-opted specific emoji combinations as coded symbols. These are designed to look harmless to moderators while communicating hateful messages.

Double Lightning Bolt

Two lightning bolt emoji in sequence represents the SS runes (Nazi insignia).

Example: A comment containing just lightning-lightning (two lightning bolt emoji side by side)

Double 8-Ball

Two pool 8-ball emoji represent “88” — the same code as above.

Example: A comment containing two 8-ball emoji side by side

Lightning + Chair

A lightning bolt emoji next to a chair emoji represents execution/electric chair — used as an incitement to violence.

Example: Both lightning-chair and chair-lightning orderings

Anti-LGBTQ+ Combinations

Hate emoji placed next to the rainbow flag emoji signal anti-LGBTQ+ sentiment:

• Prohibited sign + rainbow flag = “ban LGBTQ+”
• Fire + rainbow flag = burning/destruction imagery
• Nauseated face or vomiting face + rainbow flag = disgust
• Soap + rainbow flag = a Holocaust reference (“cleansing”)

These combinations are deliberate and should always be treated as hate speech, not casual emoji use.

Why Coded Language Matters

Extremist groups use codes specifically because:

1. Plausible deniability — “It’s just a number/emoji, you’re overreacting”
2. In-group signaling — Members recognize each other
3. Filter evasion — Most moderation tools don’t flag numbers or emoji
4. Normalization — Repeated exposure desensitizes communities

Your role is to recognize these patterns and act on them, even when individual elements seem innocent.

How To Respond

When you spot coded hate speech:

1. Remove the content — Don’t leave it up while you deliberate
2. Document it — Screenshot before deletion for records
3. Check the account — Look at their comment history, username, and bio for additional signals
4. Ban if pattern repeats — A single “88” might be innocent; “88” plus lightning bolt emoji in the bio is not
5. Report to the platform — Use the platform’s hate speech reporting tools

Quick-Reference Checklist

• 1488, 14/88, 14-88 = white supremacist code — always remove
• 88 alone as a comment warrants investigation, especially with other signals
• Two lightning bolt emoji side by side = SS runes
• Two 8-ball emoji side by side = coded “88”
• Lightning + chair emoji = execution incitement
• Hate emoji + rainbow flag = anti-LGBTQ+ hate speech
• Soap emoji in hate context = Holocaust reference
• When in doubt, check the account’s full history for patterns

Overview

Spammers know that platforms and tools use keyword filters. So they use technical tricks to make their messages look different to computers while still being readable to humans. Understanding these tricks helps you spot spam that automated tools might miss — and helps you understand why some obvious-looking spam gets through.

Character Substitution & Lookalikes

Cyrillic/Latin Mixtures

This is one of the most sophisticated evasion techniques. Spammers replace Latin letters with visually identical Cyrillic characters. To your eyes, the word looks normal. To a computer, it’s a completely different string.

Many Cyrillic letters are visually identical to their Latin counterparts — a, e, o, c, p and others have Cyrillic lookalikes that appear the same to the human eye but are completely different characters to a computer.

Example: The word “telegram” with a Cyrillic “e” looks identical to you but won’t match a filter looking for “telegram.”

How to spot it: You usually can’t see it with your eyes. If a comment looks like obvious spam but wasn’t caught by filters, character substitution may be why. Copy-paste the text into a Unicode inspector tool to check.

Leet Speak & Symbol Substitution

Replacing letters with numbers or symbols — for example, 0nlyfans (zero instead of O) or nud3s (3 instead of E). This is more visible than Cyrillic substitution and easier to catch once you know what to look for. The trick is always the same: swap a letter for something that looks similar.

Invisible Characters

Spammers insert invisible Unicode characters into words to break up keyword matches.

There are many invisible Unicode characters that can be inserted into text — invisible spaces, direction markers, formatting characters, and more. A word like “telegram” with an invisible character in the middle looks perfectly normal but won’t match keyword filters.

How to spot it: If a word has unusual cursor behavior when you try to select it (cursor seems to “stick” in the middle), invisible characters may be present.

Zalgo Text

Zalgo text stacks excessive diacritical marks (accents, tildes, etc.) on characters, creating distorted, “glitchy” text that’s hard to read and hard to filter.

Example: Text that appears to drip or extend vertically with stacked marks above and below each character.

Purpose: Makes the text unreadable to automated filters while still being (barely) readable to humans. Often used for shock value or to make hate speech harder to detect.

Fullwidth Characters

These are “wide” versions of normal letters and numbers from Asian character sets. They look similar to regular characters but have different Unicode values.

How to spot it: Text appears slightly wider or more spaced out than normal. If you see uniform but oddly-spaced text in a comment, fullwidth characters may be in use.

URL Shortener Abuse

Spammers hide malicious or spammy destinations behind shortened URLs.

There are dozens of URL shortening services in use. Some are well-known (like bit.ly), others are more obscure. Bio link services (like linktr.ee) are lower risk but still worth monitoring when they appear alongside other spam signals.

Red flags with shortened URLs:

• Multiple shortened URLs in a single comment
• Shortened URL combined with urgency language (“act now!”, “limited time!”)
• Shortened URL in a comment unrelated to the post topic
• Shortened URL from an account with no posting history

What to do: Never click shortened URLs in suspicious comments. Use a URL expander tool to check where they actually lead.

Emoji Spam

Excessive emoji use can be both a spam signal and an evasion technique.

Patterns to watch for:

• Repeated identical emoji: Many of the same emoji in a row (e.g., a row of money bags)
• Emoji overload: Lots of emoji with very little actual text — the emoji draw attention while the message hides a link or scam
• Crypto emoji clusters: Rocket, money bag, dollar bill, gem, and chart emoji grouped together often signal crypto scams

Note: Emoji-only reactions (hearts, thumbs up, laughing faces) from real users are normal and harmless. The concern is emoji used as visual noise alongside scam content.

Quick-Reference Checklist

• If obvious spam wasn’t caught by filters, suspect character substitution
• Look for number/symbol replacements in known spam words (zeros for O’s, 3’s for E’s, etc.)
• Unusual cursor behavior when selecting text may indicate invisible characters
• Glitchy, dripping text (Zalgo) is always intentional disruption
• Never click shortened URLs in suspicious comments — use an expander tool
• Multiple shortened URLs in one comment is a strong spam signal
• Shortened URL + urgency language = almost always a scam
• Excessive identical emoji or crypto-themed emoji clusters signal spam

Overview

Knowing how to recognize harmful content is only half the job. This chapter gives you a clear, step-by-step playbook for responding to each type of threat — from routine spam to serious hate speech.

The 4-Step Response Framework

For any harmful content you encounter, follow this framework:

1. Assess

Ask yourself:

• What type of content is this? (scam, sexual spam, hate speech, evasion)
• How severe is it? (routine spam vs. active harm)
• Is the account a first-time offender or a repeat pattern?
• Could this be a false positive? (genuine user, innocent use of a number, etc.)

2. Act

Immediate actions based on severity:

Severity	Content Type	Action
Critical	Hate speech, violent threats, CSAM	Remove immediately. Ban account. Report to platform.
High	Crypto scams, phishing links, impersonation	Remove immediately. Ban account. Warn community if needed.
Medium	Sexual spam, fake giveaways, follower scams	Remove content. Warn or ban based on history.
Low	Borderline spam, link shorteners, engagement bait	Monitor. Remove if pattern continues.

3. Document

What to record:

• Screenshot of the content (before deletion)
• The account username and any profile details
• The type of spam/scam identified
• The action you took
• Date and time

Why document: Patterns emerge over time. Documentation helps you identify coordinated campaigns, demonstrate the need for better tools, and train new team members.

4. Escalate (When Needed)

Escalate to the platform when you see:

• Coordinated spam attacks (many similar accounts posting at once)
• Impersonation of your brand or public figures
• Content that may be illegal (CSAM, threats of violence, doxxing)
• Accounts that recreate after being banned

Escalate to law enforcement when you see:

• Credible threats of violence
• Child exploitation content
• Doxxing with clear intent to harm
• Fraud that has caused real financial harm to your community members

Category-Specific Playbooks

Scam Comments

Routine scam (crypto, Telegram, fake giveaway):

1. Delete the comment
2. Ban the account (scam accounts rarely reform)
3. If the scam targets a specific post, consider pinning a warning comment
4. No need to respond to the scammer

Sophisticated scam (impersonation, fake support):

1. Delete the comment immediately
2. Ban the account
3. Post a warning to your community: “We will never ask you to contact us via Telegram/WhatsApp”
4. Report the account to the platform for impersonation
5. If the scammer impersonated a real person, notify that person

Sexual Spam

Explicit content promotion:

1. Delete the comment
2. Ban the account
3. No further action typically needed

Voyeur solicitation (requests for images of others):

1. Delete immediately
2. Ban the account permanently
3. Report to the platform as sexual exploitation
4. Document for potential law enforcement referral

Hate Speech

Coded hate speech (numeric codes, emoji combinations):

1. Delete the comment
2. Check the account’s history for additional signals
3. Ban if there is a pattern (or if the signal is unambiguous, like 1488)
4. Report to the platform as hate speech
5. Do not engage with the poster or explain what you detected — this educates them on evasion

Overt hate speech:

1. Delete immediately
2. Ban permanently
3. Report to the platform
4. Document for potential law enforcement referral if threats are involved

Filter Evasion

When you find spam that evaded automated filters:

1. Remove the content
2. Note the evasion technique used (character substitution, invisible characters, etc.)
3. Report the technique to your tool provider so they can improve detection
4. Check for similar comments from the same account or similar accounts

Building a Healthier Community

Beyond reactive moderation, you can take proactive steps:

Set expectations early:

• Pin community guidelines prominently
• State clearly what is and isn’t allowed
• Explain consequences (warning, mute, ban)

Use automated tools effectively:

• Automated moderation catches the bulk of spam so you can focus on edge cases
• Review flagged content regularly — false positives teach you about your community’s normal patterns
• Report missed spam to your tool provider to improve detection

Educate your audience:

• Warn your community about active scam campaigns
• Tell users to never click suspicious links or move to external messengers
• Encourage reporting — your community members are your first line of defense

Take care of yourself:

• Moderation work can be emotionally draining, especially when dealing with hate speech or exploitation content
• Take breaks between moderation sessions
• Share the workload with your team when possible
• Organizations like the Content Moderator Wellness Program offer resources

Quick-Reference Checklist

• Follow the 4-step framework: Assess, Act, Document, Escalate
• Always screenshot before deleting (for documentation)
• Scam accounts should almost always be banned, not just warned
• Never engage with hate speech posters — just remove, ban, report
• Voyeur solicitation and threats require platform reporting and possible law enforcement escalation
• Report evasion techniques to your tool provider
• Pin community guidelines and warn about active scam campaigns
• Take care of your own wellbeing — moderation is taxing work