Account Security


As a member of the RuneScape community, there are a number of communities which specialize in different areas of the game; One of these communities strives to hijack accounts and take them from the owners, as well as breaking the Real World Trading rule by most of the time, selling the gold that they take from the hijacked accounts. The gold is most commonly sold to Real World Traders and Gold Farming companies because Jagex take account hijacking extremely seriously and always ban anyone who's involved in the hijacking of an account or trading of the items from a hijacked account which means that most of the time, the players will not want to risk their own accounts by trading the gold from the hijacked account to their own, however most hijackers nearly always don't have a main account that they play on because of the fact that they have been permanently banned and removed from the game.

Should you ever require assistance regarding your account, you may contact Jagex by sending them a support ticket.

This guide is going to show you all of the most common Scams and Hijacking methods used by these communities in an attempt to get your account or gold associated with it and how to avoid them in the best ways possible.

Security Methods

Your Lobby

This is what your Lobby should look like when you log into RuneScape. if it doesn't, then you're doing something wrong. Here's an overview of the features of the lobby."

  • Subscription: Indicates the status of your Membership Subscription.
  • Messages: Indicates whether there are new messages in the Message Centre. The Message Centre is where Jagex can send players personal messages regarding various account matters such as Offences and Player/Forum moderator invites. Only Jagex can send messages here -- it cannot be used for player to player messaging. As the Message Centre is the most secure method of Jagex to player communication, messages like these will never be sent to your email address.
  • Email Registration: Indicates whether there is an email address linked to your RuneScape account. Having an email linked can eliminate the need to go through a manual recovery procedure, however this is only effective if you use a secure email provider such as GMail. More on that later on.
  • Authenticator Status: Indicates whether Authenticator is activated on your account. Authenticator is an extra security measure for your account by requiring a code generated by your mobile phone to be entered in order to login. More information on Authenticator is available here.

Email Registration

Email Registration is a vital security feature which should be taken advantage of, however it can also be a vital security flaw at the same time if proper security precautions with your E-Mail address are not taken.

A highly secure and recommended E-Mail provider is GMail for the main reason that Google allow an extra security feature called 2 Step Verification. 2 Step Verification is a system which makes the E-Mail account inpenetrable unless the hijacker has access to the mobile phone you have linked the account to. This system prevents even the most advanced of hijacking methods: Recovery and Keyloggers.

You can access your EMail registration settings in your RuneScape account either through the game Lobby or through the Account Settings section of the RuneScape website. When you get there, you'll see a screen as depicted in the image to the right. Simply enter the E-Mail address that you want to attach to your account, leave the current E-Mail blank if there isn't already one set. You'll then be sent a code in an E-Mail to that address which you'll be prompted on a second page to enter to prove that the address you've set or attached is actually valid and can be used.

It is recommended that you use GMail as your email provider, mainly due to the 2 Step Verification system that they offer. While Hotmail/Outlook, Yahoo and other services are acceptable, it is not as secure. It is also highly recommended that you use an E-Mail address that nobody knows about - Make one specifically for your RuneScape account as the most secure address is the one nobody knows about, this includes using it for Fansites, anything at all. It literally takes less than 5 minutes to do and is well worth the time and effort for the security of your account.

Message Centre

Your Message Centre is one of the most important features of RuneScape, in-fact it's a vital part of the security of your Account - This is due to the Message Centre as the only place that Jagex will communicate account-related issues with players and never through email. Only hijackers will try to trick you saying that messages of this nature will be delivered to the E-Mail inbox instead, which is not the case. This includes things such as;

  • Account Offenses
  • Player & Forum Moderator Invites
  • "Infractions" - Messages of this nature does not exist.
  • "Password Expirations" - There are no such thing.

The most common Message scam that people fall for is Moderator invites, because who doesn't want to become a Moderator - Right? More about Moderator Invites later on in the Guide. It's important to remember that ALL Jagex Moderators have Gold Crowns by their names in-game and will NEVER message you in-game about Moderator invitations - It's all done via your Message Centre Inbox. Never trust a player messaging you in-game about becoming a Moderator and always check for the Gold Crown and the "Mod" prefix before their Display Name.


This final section has no major significance unless you are a member, you can use this section to view your membership preferences and edit or extend subscriptions using various methods such as Game Cards or Credit Cards - Basically everything you need, or need to know about becoming or cancelling your membership can be found within this section.

There isn't really much to say about this section other than that it relates to the Message Centre in the sense that all messages regarding Membership, Subscriptions etc, will go to your Message Centre and not your EMail inbox. However, if you do need help with Membership or have Billing issues, you can always post in the "Billing Support" Forum or send an EMail to "" and one of Jagex's 24/7 Customer Support staff will assist you and help you sort out the problem.

Above is an example of what your Billing and Membership Centre might look like if you have Recurring membership from a credit card. It will display your Membership Type, your Display/User Name, your Membership Start Date and your Membership Re-bill Date - So that you know exactly how long your membership has lasted for, and when you will be charged again for a new month of Membership.


The Authenticator is a feature implemented by Jagex to increase the level of security of your account by requiring a code generated by your smartphone to be keyed in whenever you login through an unauthorised device. It is highly recommended that you enable this feature to ensure your account does not have unauthorised access. It can be used with any of Jagex's services where your RuneScape login is involved, including RuneScape, OldSchool RuneScape, RuneScape Companion, and FunOrb.

To setup the Authenticator, log into the RuneScape lobby and click on Account Settings to log into your account management panel. Alternatively, you may go to the RuneScape Official Website and login there.

Once logged on, expand the Authenticator section of the management panel and click Enable Now, and then click Set Up Now on the next page.

To begin, you will need to download and install the Google Authenticator (for iPhone and Android users) or the Microsoft Authenticator (for Windows Phone users) for your smartphone. The apps are available for free on iPhone, Android, and Windows Phone.

Once downloaded, open the app, tap Begin Setup, and then tap Scan Barcode. Your phone's camera will be activated -- point it at the QR code on the setup page to scan it.

A code will now be displayed on the screen. Enter it in the box found in Step 3 of the setup page and click Finish.

If there are no errors, you now have Authenticator setup. From now on, whenever you log into any of Jagex's services that uses your RuneScape password, you will be prompted for the code. Open the phone app and then type in the code that is displayed on the screen.

Bank PIN

Bank PINs are an extremely important feature of the game, as they would mean the difference between keeping most of your items and having your entire bank stolen should your account become hijacked.

To set a bank PIN, talk to a banker at any bank in RuneScape and ask for PIN Settings. Click Set a PIN in the dialog box that appears and then enter a combination of 4 digits. You will be prompted to enter it twice in case it gets mistyped. If you have Authenticator setup, you can also use the code generated by your smartphone to access your bank. You can enable this by clicking Use Authenticator as a bank pin.

Hijacking Methods


Phishing is a style of hijacking that requires the user, or Victim to go to a website that is a replica of the official RuneScape website login page, possibly the rest of the website too if the hijackers want to go for an all-around authentic look. However, the main page used is the login entry page, this is because the user is tricked into going to what seems like an innocent site, usually via clicking on what looks to be a RuneScape Forum link - This is because RuneScape Forum links are complicated and are usually pretty difficult to replicate, and usually the hijacking website is very similar to the link as if you'd go to a regular thread on the real RuneScape forums but with one or two letters changed, it is usually very hard to notice.

Another very commonly used Phishing method is by use of fake E-Mails from what looks like an official Jagex/RuneScape E-Mail address, when it really is not. They always mask the original URL using a HTML code, making the link look like an official forum link, when if you hover over it, you'll see the real link that's hidden behind it. These E-Mails vary with subjects that can be anything from telling you that your account is close to being banned due to an offense, saying that you need to login to appeal the offense, to offering you free Squeal of Fortune Spins through logging into a fake RuneScape website link. More explained below in detail.

Example of a Phishing E-Mail:

Masked E-Mail Address - The E-Mail address within the E-Mail sent to you is "masked". This means that the real sender's address is hidden behind the fake one, as you can see the (?) in the blue circle by the address. This means that your E-Mail provider has noticed that the address is masked and that you may want to acknowledge that before continuing to read the message or follow any links provided.

Dear CUSTOMER - Any E-Mail sent to you by Jagex that may be legitimate will have your RuneScape Display Name instead of "Customer". The reason this happens, is because you aren't the only person that this E-Mail is sent to, usually the databases from hijacked Fansites with E-Mail addresses stored (including your own) are mass E-Mailed this message in the hope that players will fall for it and click on the link and be phished.

Masked URL's - As you can see, the blue underlined URL above the one highlighted by the arrow is the legitimate link copied directly from the RuneScape website, however the URL below that, is the fake one. You can see the fake link when you hover over the underlined URL at the bottom left side of your browser page, this will reveal where the real link will redirect you to when you click on it. As you can see, there are only minor differences in the URL, some hijackers spend a lot of time and money working to get extremely similar URL's to the one has itself. This is done easily with use of basic HTML to mask the URL behind the real one with a reference code.

This is an example of the RuneScape login page, with the green security logo in the browser address bar.

This Green Security Logo is the most vital and important aspect of Phishing, it is the key difference between a Phishing site and the legitimate, official RuneScape website. This is the place you want to check your browser if you're not sure you're logging into the real website, for example if someone has linked you to a Forum page that requires you to login to see the thread within a hidden Forum.

The only place on the RuneScape website that this does not happen with, is the main Game login page.

Quick Find Codes are the key factor to avoiding a RuneScape Forum Phishes. The main reason for this, is that it's a safe way to get to a specific thread on the RuneScape Forums, no matter which Forum it may be in, because it means that you don't trust a link that someone sends you, instead you can go to the Forums yourself from the main page, and put in the Quick Find Code to take you directly to the thread needed.

You can enter a Quick Find Code into the Forums by heading to the top-right hand side of the RuneScape Forum page on either the main Forums or any thread you're reading. Simply Copy and Paste the code into the little box and hit enter, and it'll take you to your destination thread.

RAT'ing & Keylogging

There are lots of ways that hijackers try to keylog or RAT players, one of the main ones is via YouTube. The reason YouTube is such a predominant form of hijacking is due to a large number of people assuming the site is trusted because it's on a trusted website, however this is not the case.

In the image to the left you can see a YouTube video advertising a so-called "Gold Generator" - This is obviously fake as there are no cheats for RuneScape, the idea behind it is that you watch the video and feel tempted to click a download link in the description of the video which will infect your computer with a virus that logs your keystrokes, hence obtaining your RuneScape login details the next time you enter them into the RuneScape login screen.

This is not the only form of download that hijackers tempt players to download, others include "Item Generators" "Gold Generators" "Bots & Bot Clients" "General Cheats for RuneScape" "Dupe Glitches" "Glitch clients or hacks" - Pretty much anything that has a download link in the description of the video could potentially be malicious, the best thing to do would be to just stay away from clicking links on YouTube all together for complete security and safety.

A lot of these video makers use bots to make the video look more popular, to give it more likes and views, so the victim watching the video thinks "Oh but these people have liked it which means it worked and it has lots of views" - DO NOT BE FOOLED! This is simply an illusion to make you think that the video is popular for a good reason, when in reality it is all bots doing the views and likes to make the video look popular and foreboding.

Scamming Methods

REMEMBER - Scamming is against the Rules of RuneScape. If you see it report it!

"Doubling Money" Scam

This Scam commonly takes place at the Grand Exchange near one of the bank booths, the player claims that they are "Doubling" money, if the player trades an amount of money to the Scammer, the trade is accepted and the Scammer takes off with the money.

Although the idea of the Doubling scam is to take another players money by them thinking that their money will be doubled in the next trade - Usually the case is that the Scammer will double money "legit" for a few trades to make the players surrounding them think that the trade is legitimate and that they won't get scammed, when the reality is that the Scammer just wants to have people trade them a large amount of money as opposed to small "Test" amounts.

"Hot & Cold"/Gambling Scams

These Scams appear in all shapes and forms, they can be tricky at times because the whole scam is basically about trust, the best rule to go by here is TRUST NOBODY! It is now against the rules and considered bannable to participate in or host player-run games of chance where a player must 'trust' another player with their items or gold before being allowed to participate in the activity. If you see anyone hosting or taking part, be sure to report them for rule-breaking.

They most often occur in the form of "Hot and Cold" which is basically a Gambling game by use of the Flowers from the Waterfall Quest (Mithril seeds). The idea of the game is that you choose either Hot or Cold, hot being 3 colours of the flowers, Cold being the other 3, and the odd ones out being Black and White through which the gambler claims to triple your money, or one or the other is a Win/Lose - It depends on the gambler. What the scammer wants you to do is give them money, ask for a colour, if they win, they keep your money, if you win, they're supposed to double it - But instead, most of the time take off with the money instead of paying out.

"Trimming Armour" Scam

The "Trimming Armour" scam involves a player claiming to be able to provide a service which is not currently possible, or ever has been possible within RuneScape - to "Trim" the player's armour for them, and make it look slightly better than it does normally. This scam usually fools newer players that don't know how trimmed armour is obtained, from Clue Scrolls.

Guide Made by: Rogie
Corrections submitted by: Rogie, Dark, Joe, Max, Kronre, Amazing One, Power of Five, Secepatnya, Jamandy52