I have been reading a lot of complaints with people getting hacked and scammed so I made this guide for all new and existing players to help protect their account as much as they can from being hacked and also some tips on how to avoid getting scammed.

1. Secure password

When creating an account the most important thing you can do is create a strong password.

Your password should be at least 8 characters long and should contain combination of letters, numbers and symbols.

Never share your password with anyone! Also do not enter passwords anywhere else except the official RuneScape website or game!

General password guidelines

 

• DO NOT pick any word or number which has a connection to you, so don’t pick your favourite animal or your house number.
• DO NOT use your phone number or any personal information as your password. This can be easily guessed by a friend or relative.
• DO NOT just use a number at the end of a word, such as apple1.
• DO NOT use common number and letter substitutions e.g. 4 as the word ‘for’, 1 as ‘L’ or ‘I’, 5 as ‘S’
• DO NOT use repeating characters ‘bbbbbbbbbb’ or series of characters such as ‘kbkbkbkbkbkb’ or also something like ‘rs2rs2rs2rs2’.
• DO NOT use your real name, account name or name of an item either forwards, backwards or divided up.
• DO NOT use a series of characters off any keyboard such as ‘adfsghd’, ‘lkjhgf’ or ‘qazwsxedc’, as these are very common and hijackers will look for these.
• DO NOT fall for users saying that the system will censor your password.
• DO NOT give your password to anyone. This includes any friends, relatives, or other player. If asked in-game for it, report the player under Rule 3 – Password Scamming.
• DO NOT use a password that you’ve previously used on your account.
• DO NOT combine your RuneScape password with other things such as your E-mail account. If the password for one is discovered, access to your RuneScape account becomes much easier for hijackers.
• DO NOT use your RuneScape password a second time for an account on another website, or for secondary RuneScape account.
• Be careful about keeping your RuneScape password in places where it may be accidentally discovered, like in a Microsoft Word document.
• Passwords must range from 5 to 20 characters. The more characters there are, the likelihood of having an account stolen is significantly reduced.
• Passwords should not be entered if there is someone directly behind you. Long passwords with no discernible pattern of words and numbers like “ag955gop233xz521” are very difficult to memorize at a glance. Do not use ag955gop233xz521 as your password, since this might be guessed by an account hi-jacker.
• Jagex moderators will never ask you for your RuneScape password. Any player who claims to be Jagex staff should be reported either for Rule 3 – Password Scamming, or Rule 5 – Jagex Impersonation.
• Passwords should never be entered on any website besides runescape.com – [runescape.com]  and jagex.com – [jagex.com] . Many non-legitimate websites have keyloggers, which record and steal players’ passwords. The same rule applies to RuneScape fansites.
• It is advisable to change your password every 3 to 6 months, so long as you keep it safe.

 

2. 2FA Authentication

In my opinion two-factor authentication is one of the most important steps in securing your account. Not just RuneScape account but any account.

Most popular app for storing 2FA tokens is Google Authenticator – [google.com] .

Here is how the system works: First to set it up you will need to scan a QR code that is generated on the RuneScape site. I recommend taking a screenshot of that QR code and printing it or storing it somewhere safe in case you loose your phone. Otherwise you will have a hard time logging in since it is required for logins and any changes in account settings.

After you scanned the QR code in your app it will start generating 6-digit numbers that you will need to enter when prompted by the game. This code will change every minute, making it pretty close to impossible to guess or hack.

With 2FA enabled your account should be protected even if the scammer/hacker obtained your password. But even with this enabled don’t let your guard down cause you can still get hacked if you are not careful enough!

Enabling 2FA will also have huge security benefits in step 4. Bank PIN

Setting up 2FA

To set up the RuneScape Authenticator, players must visit the Authenticator landing page – [runescape.com] .

You can either click on the link above or you can click on “Account” on the main page of RuneScape.

After clicking you will have to login. After that’s done it will take you to your “Account settings” page where you click on “Authenticator” and follow the instructions.

Jagex generates a secret key unique to each user and presents it as a QR code and as a 16-character string; these are used to add your RuneScape account to a two-factor authentication app (Jagex recommends Authy – [authy.com]  or Google Authenticator – [google.com]  on its support pages).

Once set up, players are prompted to enter a 6-digit time-based code whenever they log in to the game using an untrusted computer. Players can choose to trust the computers on which they play RuneScape for up to 30 days or choose to enter a code every time they wish to play. Jagex implements a 10-minute window (five minutes on either side of the actual time) to enter the correct code to allow for a possible lack of synchronisation between Jagex’s server time and player devices.

Disabling 2FA

To turn off the authenticator, click the “disable authenticator” link on the Authenticator landing page – [runescape.com] . Jagex will send an email containing a link to disable the authenticator to the email address registered to your account. It is highly encouraged that the email associated with the account also be secured with two-step authentication so that the RuneScape Authenticator cannot be easily removed.

3. Setting up login with Google, Facebook, Apple, Steam,…

Logging in with third party providers like Google or Steam will make your login process more convenient and in some cases more secure. You should also make sure that these accounts should also be properly secured otherwise you can get “hacked” through them.

How to set up login with external provider

First you should open up the official RuneScape page: https://www.runescape.com/community – [runescape.com]

Click on the “Account” in top right corner:

After you clicked you will have to login. After thats done it will take you to the “Account settings page”. From there click on the “Linked Accounts”:

After clicking on that it will take you to the page where you can manage linked accounts. There you can link, unlink or manage other settings for your linked accounts.

4. Bank PIN

So let’s say that someone was able to log-in and now is playing on your account. If you have a bank PIN set up he won’t be able to do any signifficant damage to your account since the bank and any other money related things can not be accessed.

The best option here is to use the 2FA code as your bank PIN. This makes it more robust and more “hack proof”.

Setting a bank PIN

To get a bank PIN, players may click on the “Set a Bank PIN” button at the bottom of the Bank interface. Alternatively, players may choose to talk to a banker and say that they would like to check their PIN settings. Once they have done this, they may then set a 4-digit PIN. The Bank PIN may be cancelled before it is put to use.

Their bank will then have a bank PIN in either 3 or 7 days, at the player’s discretion. The reason for a 3 (or 7) day delay is that if a person hacks the player’s account before the PIN is set, the player can cancel the PIN the next time they log back on.

If you have set up an external RuneScape Authenticator app for your game account, you will also have the option to use that as the PIN. The app will send a 6 digit authentication code that is always changing and would require that you have your phone with you.

To remove a bank pin, simply talk to the Banker, click “I’d like to check my PIN settings”, and then press “Delete PIN”. Although I would recommend that you never remove your PIN, since it leaves your bank unprotected.

Using a bank PIN

When a player has a bank PIN, they must then click on the 4 numbers they set it to. Once they have done this, they will have access to their bank account. The bank stays unlocked until the player logs out or loses their connection. The numbers on the keypad shift around after being clicked on, and the numbers move around within their red boxes. This is to prevent screen-capture spyware from compromising the player’s PIN.

After two failed attempts to enter the bank PIN, the system locks the player out for 10 seconds and tells them to use the “cancel” option if they have made a mistake in entering their PIN. After another failed attempt the system locks the player out for 15 seconds. Once four fail attempts are made, the player must wait 10 minutes before trying again.

Advantages of using a bank PIN

Bank PINs are a form of damage control against account thieves. Accounts can be stolen if an attacker obtains the login name and the associated password. If a computer is infected with a key-logger, it is possible for a thief to learn the login name and password combinations. Even without such malware infections, weak passwords might be guessed.

If an account thief is armed with only a username and the password, they will not be able to access the items stored away in the account’s bank. Additionally, a keylogger cannot easily obtain the PIN, because players have to click on the numbers instead of typing them.

Bank PINs are the best things players can have to protect their bank account and it is strongly recommended to have one. In addition, players are well advised to only access their account from a trusted and non-infected computer. A non-obvious password and periodic password changes also help to prevent access to accounts.

As the Bank PIN only protects items that are in the bank, there is no protection for items that a player wears or have in the inventory unless you activate the bank pin setting on miscellaneous settings about using bank pin for dropping high valued items and accessing high risk areas such as wilderness. Banking all valuables prior to logging off places them behind the protection of the Bank PIN.

The Bank PIN system also appears when attempting to enter the Player-owned house in Building mode for the first time after logging into the game. This helps protect the Player-owned house from vandalism and/or theft from the Costume Room.

Situations that require a bank PIN

If you are using 2FA token as a PIN note that you need to enter that once and it will last until you log-out or are in lobby for some time.

• Accessing the bank.
• Trading at the Grand Exchange.
• Entering Building mode in a Player-owned house.
• Opening/searching stored items in a Player-owned house Costume Room or Menagerie.
• Accessing the Party Room chest.
• Accessing a player’s Miscellania funds.
• Re-Claiming an item from the Dragon Keepsake box.
• Trading with the Rewards trader in Daemonheim.
• Customising your Ring of kinship inside a dungeon in Daemonheim.
• Accessing the metal bank.
• Clan owners leaving their clan, demoting themselves or promoting deputies.
• Accessing the Customisation tab in the citadel interface.
• Accessing the Money pouch.
• Accessing the Slayer points interface.
• Accessing the Members Loyalty Programme shop.
• Accessing parts of the clan citadel.
• Trading with another player.
• Changing a Character name using the hero’s tab.
• Deploying a Challenge gem.
• Dropping coins or items on ground with a total value higher than 500,000 coins (if the bank pin setting for this feature is activated).
• Entering high risk areas such Wilderness, Crucible, Clan Wars red portals and others (if the bank pin setting for this feature is activated).
• Destroying a completionist cape.
• Accessing machine interfaces in the Invention Guild.
• Accessing hidey-holes.
• Accessing a material storage container.

 

EXTRA: Being careful with web links

Ok so basically a lot of scams/hacks will attempt to steal your login details. You will go to a website that looks identical to the real one, enter your details and with that you will send all the data that the scammer/hacker needs. After that he will login to your account and steal your items or even get you banned.

To prevent this from happening you should always be logging in with third-party providers (Google, Apple, Steam,…; check section 3. Setting up login with Google, Facebook, Apple, Steam) since those services are very secure against this type of scams. Long story short third-party login system was designed to be secure and it will only work on the original webiste/client. But this doesn’t mean that you should just be clicking and logging in before verifying if the website is real or not.

Remember that if RuneScape will have any promotional free things they will be posting that on their official profiles on Twitter, Facebook,… so if a random guy is telling you that RuneScape is giving away free membership or other stuf, he probably is a scammer and you should just report and ignore him.

Make sure that links look exactly like this:

or

EXTRA: Spotting scammers in game and staying safe

While the RuneScape community is full of pleasant and helpful people, you may come across some less pleasant players during your time in Gielinor. Always be on the lookout for anything that looks like a scam or may be a phishing attempt on your account.

If anyone asks you for personal information, such as your login or personal details, you should not give them this information. You may also see messages with URLs in the chat box – be cautious when visiting these websites if you do not recognise the links, as they could be dangerous.

Often, scams happen when other players advertise services, in which you have to trade them gold or items. If it sounds too good to be true, it probably is. For example, a common scam that has existed for as long as RuneScape has existed is that players will propose to “double” your money, by first trading them your coins. This is always a scam, and they will simply disappear with your money.

To help keep Gielinor safe, you might come across Player Moderators. These are normal players in the game that have a silver crown in the chat box to distinguish them from other players. These players have the ability to mute others in the chat, and report them directly to Jagex. Rarely, you might come across Jagex Moderators, which are represented with a gold crown in chat instead. These are actual Jagex employees, the developers who make the game. If anyone without one of these crowns tells you that they are a moderator or have the ability to mute/ban you, they aren’t telling the truth and you should report them.

Another type of scam, known as luring, happens in the Wilderness. If someone asks you to enter the Wilderness holding something that you aren’t willing to lose, don’t listen to them! They are trying to kill you inside of a PvP area so that they can take your items.

You can report any player by right-clicking their message in the chat box and clicking ‘Report’.

 

A good tip: Be suspicious of everyone that asks you to trade, follow, meet them here, world hop there, etc. if you don’t know them in person.

You can check list of scams here. – [runescape.wiki]  Note that not all scams are listed in here, because scammers are evolving and coming up with new ways of scamming every day.

Conclusion

I hope this guide helped you and was written in a way that can be understood.

If you have any edit suggestions or remarks you can leave them in comments and I will try to add them into the guide.

Thank you

 

I hope you enjoy the Guide we share about RuneScape – How to Protect Your Account from Hackers; if you think we forget to add or we should add more information, please let us know via commenting below! See you soon!