OSRS Account Security: Protect Your Gold & Items (2026 Guide)

You can spend a decade building your account in Old School RuneScape. You can lose it in 30 seconds to a phishing link. This guide covers every layer of account security you should have enabled in 2026, the most common attack vectors, and what to do if your account is compromised.

Most account losses happen at the login screen — not in-game.

The Essential Security Layers

1. Jagex Account + Strong Password

Migrate to the Jagex Account system if you haven’t already. Use a password manager-generated password — at least 16 characters, mixed-case, with symbols. Never reuse passwords across other websites.

2. Two-Factor Authenticator

Enable the authenticator app (Google Authenticator, Authy, or 1Password). This single setting blocks 99% of account-takeover attempts. Set it up the day you create the account — never “tomorrow.”

3. Bank PIN

Set a 4-digit bank PIN that’s different from your account password. After entering it once per session, you can access your bank freely — but if someone gets your login, they can’t clean out your wealth.

4. Email Security

Your registered email is the single most important point of failure. Use a dedicated email that isn’t linked to forums or game accounts. Enable 2FA on the email account itself. If your email is compromised, every account it’s tied to falls.

5. Bank PIN Lockout

Configure the bank PIN to have a long lockout after wrong attempts — this gives you time to react if you receive a recovery email.

✓ Pro Tip: The Jagex Account migration includes the option to set a unique authenticator and recovery method. Both should be enabled simultaneously — one without the other leaves a gap.

The 5 Most Common OSRS Account Attacks

1. Phishing Emails & Fake “Jagex” Pages

Fake account-warning emails (“Your account is suspended — verify here!”) lead to login pages that look identical to the real Jagex one. Once you submit, the attackers immediately drain the account.

Defense: Never click email links to log in. Always go directly to runescape.com manually. Real Jagex emails will not ask you to log in via a link.

2. Discord Scam Links (Fake Bonds / Streamer “Giveaways”)

“Click here to claim 5 free bonds from [Streamer Name]” — these always lead to phishing pages.

Defense: No legitimate Jagex/streamer giveaway requires login. Period.

3. Fake Client Downloads

Sites offering “modded RuneLite” or “XP-boost OSRS clients” are 99% RAT/keylogger downloads.

Defense: Only download RuneLite from runelite.net or the official Jagex launcher.

4. Account Sharing

You give a friend your password to “train a skill while you’re away.” That friend’s computer is infected. Game over.

Defense: Never share login credentials with anyone, ever. No exceptions.

5. Trade-Window Swap Scams

The scammer modifies the items/gold on the second trade-confirmation screen. Less catastrophic than account theft but still painful.

Defense: ALWAYS re-read the second trade screen, even if the trade is small.

⚠ Reminder: No legitimate trade partner — not a friend, not a clan leader, not a Rune Heaven seller, not Jagex staff — will ever ask for your password, recovery, or authenticator code. Ever.

RuneLite Plugins That Boost Security

Account / Profiles plugin — isolates settings per character.
Chat Notifications — alerts you when trade requests come in.
Player Indicators — flags friends/clan members so you know who’s a stranger.
Bank-tag Plugin — lets you visually organize items so theft is easier to notice.
Loot Tracker — logs every drop, useful for audit if something disappears.

A Safe-Account Checklist

Migrated to Jagex Account ✓
Unique 16+ character password ✓
Authenticator app enabled ✓
Bank PIN set and different from password ✓
Registered email has 2FA enabled ✓
Email is not used for any other game accounts ✓
RuneLite downloaded only from runelite.net ✓
No browser auto-fill enabled for password ✓
Anti-virus running with real-time protection ✓
Never click email or Discord login links ✓

What to Do If Your Account Is Compromised

Stay calm and act fast.
Submit an account recovery via runescape.com immediately. You’ll need your registered email and as much account history as you can remember (recovery questions, transaction IDs, original creation date, etc.).
Change your email password first — if that’s compromised too, the attacker can intercept Jagex’s recovery emails.
Scan your computer with at least two antivirus tools (Malwarebytes + Windows Defender) before logging in again.
If you suspect your password was reused on other sites, change those too.
Contact Jagex Support directly — the in-game complaint system isn’t the right channel for account theft.

“The five minutes it takes to set up an authenticator can save you the five years it took to max your account.”

How Rune Heaven Helps Keep Your Trades Safe

While Rune Heaven can’t protect you from a phishing email, every interaction on the platform is built to minimize risk:

Verified email registration — no disposable accounts.
Private platform chat — keeps a record of every agreement.
Reputation badges — verified history with every seller.
Support mediation — staff can step in on any deal.
Reporting tools — instant flagging of suspicious users.

Trade Safer With Rune Heaven

Combine bulletproof account security with a trusted marketplace. Verified sellers, real reviews, and built-in mediation keep your gold — and your account — safe.

Visit Rune Heaven

Final Word

Account security in OSRS isn’t complicated — it’s just disciplined. Authenticator + Bank PIN + secure email + skepticism about every login prompt. Do these four things consistently, and you’ll be in the top 1% of OSRS players for account safety. Skip any one of them and you’re a phishing email away from disaster.

OSRS Account Security: Protect Your Gold & Items