Security News > 2022 > June > RuneScape phishing steals accounts and in-game item bank PINs
RuneScape is a free online MMORPG game first released two decades ago but continues to be popular in the gaming community and enjoyed by millions of players.
The latest phishing campaign, spotted by Malwarebytes, attempts to target players of both the Old School and the standard editions via a fake email change notice.
The initial email pretends to come from Jagex support, the developer and publisher of the RuneScape series, informing the recipient of a successful email change for both editions.
Upon doing that, a second webpage loads, asking the victim to provide their RuneScape in-game bank PIN. Banks in RuneScape are virtual game item stashes that players build by paying real money or spending many hours collecting rare in-game items.
By giving away their bank PIN and account credentials, victimized players give full access to all items they collected to the phishing crooks, who may then transfer the items or take over the accounts and sell them to interested individuals.
If you are a RuneScape player and you're worried about your account security, note that Jagex support will never change your email address until you confirm the action, so all of those "Surprise" emails are phishing.