RuneScape Phishing Attack – Fake Email, Very Real Threat

In the gaming industry, a game that maintains its popularity for two decades tells us a lot about how high its quality is. RuneScape – a free online MMORPG game – has become the talk of the town lately, but for all the wrong reasons.

Unfortunately, threat actors are taking advantage of the game’s popularity to launch phishing campaigns targetting players of both the Old School and the standard (RuneScape 3) editions using fake emails.

Long story short, what’s fun is not fun anymore. The game has harnessed an increase in active players for many years now, especially after releasing a mobile version.

This is exactly why it has become a target for threat actors so they can ruin the players’ experience and benefit a lot in the process. The attackers have crafted a solid malicious campaign and we’re here to tell you all about it.

RuneScape Phishing Email – Fake It Till You Make It

Phishing attacks using fake emails have become a trend nowadays. Even the movie industry couldn’t avoid such attacks when threat actors impersonated a page for Spiderman spoilers a while back.

That’s not the end of it though as the gaming industry has also seen its fair share of attacks, especially ones that involve either discord or steam.

This time around, gamers have been hit hard with this RuneScape phishing attack as the threat actors have created a convincing campaign that eventually ends them up with the victims’ RuneScape Bank PIN.

In the game, players can pay real money to buy rare gems, which help them excel faster. Talk about PAY to WIN. As the player gains more experience, he/she will develop new skills such as woodcutting and fishing.

Apparently, the threat actors are the ones that gained an elevated ability – PHISHING. Now, they’re sending emails impersonating Jagex support. These fake emails alert the users that their email has been successfully changed.

Email Change

The notice advises anyone who disapproves of the change to click on the “CANCEL CHANGE” button. This is the first bait, but if it doesn’t work, the attackers made sure they had a backup plan.

At the end of the email, the scammers included a URL for victims to copy-paste manually on their browser. While both methods are different, the results are the same – they will direct the victim to a phishing site with a domain name that looks very legitimate.

RuneScape Login

We all know what happens here. But there’s an extra twist. Once the users submit their credentials, they’ll head over to yet another page.

This time, they have to provide their RuneScape in-game bank PIN. In doing so, the victims give full access to all items they collected to the threat actors, who may then do whatever they want with them.

We’re talking about transfers as well as selling them to other players who show interest. They do have full access to the account after all.

RuneScape Phishing Attack – A Single Click Costs A Lot

Malwarebytes stated that the manner of sending the victim’s information is quite interesting, and it is. However, you should always make sure that you’re safe, and don’t take the gaming world too lightly.

There’s no such thing as an email change without your consent. In other words, don’t fall for such tricks as they’re non-existent.

Finally, never click on or visit a link that might be sent to you via email. Don’t even copy-paste it to your browser. Just head over to the official website and you’ll be able to do everything there, even if it took a couple of extra minutes.

Jonathan Beesly

Jonathan is the main author at He regularly publishes posts that aim to introduce better cyber-security practices to the masses.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Articles

Back to top button