Password scams are a subset of scams where a player attempts to get their victim to trust the player with or mistakenly leak their password. Asking another player for their password, sharing your password or account with another player, or attempting to get another players password by any other means, is a direct violation of Jagex's Rules of RuneScape. This page is not intended to promote or advertise scamming in any form; its sole purpose is to inform players of any possible scams to help keep their account safe and secure.
Recovery question scamsEdit
Suggested actions: Report the player for asking for or providing contact information such as full names, ages, postal or email addresses, telephone numbers, or bank details, under the security category. The best way to make this scam ineffective is have the answer not even related to the question (or to simply ignore the scammer in the first place.)
Befriend and trade ScamEdit
A player befriends another in attempt to gain trust and eventually trick them in giving his or her password.
Suggested Actions: Defriend him/her in RuneScape and avoid him/her in real life, change your password, and report him/her for item scamming.
Password Change TrickEdit
Some players trick others by telling them to change their password to a "code" that will give them money and a lot of it.
What actually happens: The player ends up changing your password while logged in using another window. When you log off the player then quickly logs in using another trick called Multiple logging in.
Suggested Action: Report the player for password scamming.
Password censoring scamEdit
Previously, RuneScape did not censor players' passwords (this would give away passwords like "rune axe" for example). Some players would trick others into thinking otherwise, and then look for any text that may resemble a password. As of April 24 2007, Jagex changed the system so that sentences which contain a player's exact password or a large portion of it would not show up, although it only blocks the exact text of their password, and would still be visible to scammers if typed incorrectly, but this method is rarely used today. However, password scamming still occurs on RuneScape and RuneScape Classic. Scammers may also say that if you type your password backwards, it will still be censored (such scammers use phrases like: "w00t! jagex won't let you spell your password backwards!") . That is not true, your password will be shown and the scammer will know your password.
Suggested action: Players should report under password scamming Passwords are NOT blocked on RuneScape Classic, so people just asking for people to post their unchanged passwords can still be reported there. Since your password is indeed censored (save for RuneScape Classic, it is not reportable unless the scammer tells you to misspell your password or spell it backwards.
Account trades and transfersEdit
Not only is transferring accounts against Jagex's rules, it is extremely risky. The player may take the other player's money and never give him/her the password. Even if the player receives the account and changes the password, the original owner can take it back using the recovery questions. Additionally, some players may give you a high-level account, in hopes that you'll transfer your items to it. The scammer can then recover the account, and take any items that you may have placed on it.
Suggested actions: Report the player for buying, selling or sharing an account. If you see accounts being sold on other web sites, send Jagex a link to that site via a Customer Support query. Accounts being sold on eBay no longer need to be reported, as Jagex is now checking that regularly themselves.
Fake RuneScape websitesEdit
Some players will make sites that look similar to the real RuneScape site, and offer moderator applications, beta access to "Runescape 3", or entry into contests. In reality, these sites would collect your password and may present you with a fake error message when you enter your information.
Suggested actions: You should never enter your RuneScape password into any site other than the official Jagex Ltd. sites, whose domains are jagex.com, runescape.com, funorb.com, waroflegends.jagex.com (or just waroflegends.com), stellardawn.com, and 8realms.com. Familiarise yourself with the ways domain names can be faked. You should avoid even visiting fake sites, as some may exploit vulnerabilities and may make your computer run a Worm or Trojan when you visit the site. Finally, you should report the site to Jagex via customer support after you put your information into the fake login it will not work and you will most likely say to the scammer it didn't work, he will tell you you have to be logged out. DO NOT LOG OUT! IF YOU DO, YOUR RECOVERY QUESTIONS AND E-MAIL ADDRESS MAY BE CHANGED! Do not enter your password anywhere except for where it says Jagex limited in your browser bar.
This usually happens on other websites, such as forums or blogs. The player will make an e-mail address and claim that it is an e-mail address that will send you another member's password, make you a free member, give you 99 billion coins, etc.
Any e-mails from Jagex will always have a web address of "email.runescape.com". (Example: The RuneScape Courier comes from firstname.lastname@example.org.) However, aside from membership receipts, updates for your membership loyalty points, and the RuneScape Courier, Jagex no longer sends e-mail to players.
Suggested actions: Report the e-mail to Jagex via customer support (email@example.com) and delete it. When reporting the e-mail to Jagex, try to include the header information. If possible, block the user from sending you any more e-mails. To prevent scammers from harvesting your e-mail address, try to set it to "hidden" on Internet forums.
Cheat program scamEdit
Some scammers will offer programs that claim to make RuneScape easier, but they will actually either steal your password or result in your account getting banned. This is one reason that Jagex discourages use of toolkits. However, Jagex has confirmed Swiftkit to be a legitimate toolkit that will not steal your information, and Jagex has also produced a program that opens up Runescape directly from your desktop.
Suggested action: Do not use toolkits. Sometimes, your computer can get a keylogger just from visiting these sites, so make sure that your computer has an anti-virus program, and that it is up-to-date. Do not report other players for using these unless they openly admit it during chat.
Some RuneScape fan sites (or even fan wikis for that matter) , even the most reputable ones, may display ads that encourage cheating or real-world trading. Often, the administrators of fan sites do not have control over the ads, which are served by an advertising company. Some other ads may offer money-making "guides" that are no different from the ones offered for free on forums.
Suggested actions: Report the ads to the administrators anyway under the advertising websites in the security section of the rules. The administrator may, in turn, send complaints to the advertising company. Sometimes, the advertised website is found near the advert. In this case, members or qualifying free players can report the website via forums.
Jagex staff impersonation scamEdit
Jagex staff will never ask for your password, bank PIN or personal details. Any player who has a silver crown next to the player's name is a player moderator, and any player with a green background and "Forum Mod" displayed under their avatar on the forums is a Forum Moderator. Anyone who claims to be a moderator but has no crown showing, should be reported for Jagex staff impersonation, under the honour category. This applies to anyone, even if you know the player is a moderator on a different account. It is against the rules for anyone, even moderators, to claim to be a moderator or claim to have moderator powers when no crown is showing to the left of the name. For more information see the Moderator guide.
Suggested actions: Report the player immediately for scamming in the honour category. Real Jagex staff will never ask for a player's password because they don't need your password to access your account as they already have the password.
One of the easiest ways to accidentally stumble onto a fake Runescape site is through visiting fansites. Most forums allow anyone who registers the ability to mask their link behind an alternative display text through BBCode. Phishers will abuse this feature by posting or pming an innocent looking message with their malicious link hidden behind what appears to be a legitimately safe link.
Suggested Action: Always be careful when browsing the web, even on fansites. Modern browsers allow you to see where a link leads to if you hover your mouse over it before clicking. If you receive a pm from someone you don't know with a link inside, do not trust it. If you do accidentally click on a link, close out the window and run a scan immediately.