This is a condensed guide on account security and will cover the following points:
1: How do I keep my account secure?
2: How do people get "hacked" and how can I prevent getting "hacked"?
3: I got "hacked" what do I do now?
Jagex has a less detailed guide on account security as well, which you can view here https://www.runescape.com/oldschool/security
1: How do I keep my account secure?
Keeping your account secure at all times is essential to prevent getting "hacked" or recovered.
1.1: Passwords
A strong password consists of at least six characters (and the more characters, the stronger the password) that are a combination of letters, numbers and symbols (@, #, $, %, etc.). Sadly Runescape passwords are not case sensitive.
Do NOT use the same password for any other things (emails, games, forums, etc.)! This is self-explanatory, but some people still use the same password for everything, even for their Runescape related email.
Change your password periodically (like every month)! Your previous passwords are important information. They're like footprints that only you know. The odds of being successfully "hacked" sink drastically if your account has dozens of passwords logged.
Do NOT store your passwords on your PC! Instead write them down on a piece of paper if you can't remember them (for something like a Runescape password this is fine, however, this isn't recommended for more important information such as real life bank account details etc.).
1.2: Email
Do NOT use your login email name as your email! People likely created their accounts years and years ago and didn't think of account security back then. It's possible that your login email is leaked somewhere along with its passwords. Furthermore, if you accidently leak your login email through streaming for example you don't have to be afraid that your email account is going to be targeted, because that email account is irrelevant to you anyway.
Do NOT use the same email for any other things (games, forums, etc.)!
Use a different password for your email and your Runescape account! I know I'm being repetitive here, but I can't stress this enough.
Activate two-factor authentication on your email account.
1.3: Bank Pin
Have a bank pin set on your account and set the delay of removal to 7 days! I know it can be inconvenient at times, but the bank pin is your most important second layer of security. Unlike the authenticator, it won't be deleted if your account gets recovered.
Use random numbers as your bank pin! Do NOT use stuff like your birth date or year or any other meaningful number combinations related to you.
Change your bank pin periodically (like every month)!
1.4: Authenticator
Activate an authenticator on both your Runescape account and on your email. The authenticator is arguably the most controversial account security measure. It's simply stupid that Jagex doesn't have an opt-in for putting a delay on its removal. However, the authenticator is still an important account security tool. Even if somebody knows your current password, they won't be able to access your account if you have an active authenticator set.
Do NOT have the authenticator software on your PC! Have it on your mobile phone instead! If your PC is ratted, "hackers" will be able to bypass your authenticator if it's accessible on your PC.
1.5: Account Information
Do NOT share important account information with anyone. This includes things like your account creation date, your (creation) ISP, your IP, your payment method and any information regarding your previous payments, your country, your name or your postcode. "Hackers" often try to get you to reveal account information with subtle questions. Keep this in mind, especially if you're a streamer.
1.6: Account Ties to Social Media
Do NOT tie your Runescape account to social media! You can check if your account is tied to any social network by going to your account settings under social networks. Make sure no social network is tied to your account and untie any if necessary. "Hackers" can recover your account by just having access to your Facebook for example.
1.7: Account Sharing
Do NOT share your account, period! Sharing your account is one of the dumbest things you can do. Your account could be stripped off all the wealth at any point and it could even end up in recovery battles for the account. This also includes things like letting somebody on your account temporarily to do skills or other challenges for you or change your RSN for you. Do NOT let anyone on your account, ever.
1.8: Runescape Private Servers
Do NOT play private servers! Private servers are notorious for compromising your information to "hack" your account.
1.9: Runescape Clients
Be careful of which client you use! I know people want everything spoonfed through clients, but I highly recommend only using the official client. If you choose to use a third party client you put your account at risk. I don't want to be overly dramatic here, so if you choose to use a third party client make at least sure you don't fall for fake download links.
2: How do people get "hacked" and how can I prevent getting "hacked"?
To understand how to prevent getting "hacked" you must be aware of possible and common "hacking" methods.
2.1: How can I prevent getting "hacked"?
Keep your account secure at all times and be aware of possible and common "hacking" methods!
2.2: How do people get "hacked"
First off, the people who try to "hack" you aren't gifted masterminds. They use very basic methods of obtaining your information and you shouldn't fall for them as long as you are aware of them.
2.2.1: Phishing Links
Phishing links are arguably the most common Runescape related "hacking" method out there. You will be lured (fake URL shorteners, fake emails, fake Twitch streams, fake Youtube videos, fake in-game chat promises, fake Jagex employees, fake Discord DMs (from impersonators), etc.) to a fake Runescape website by clicking on a phishing link. What exactly is a phishing link? Usually you'll encounter spoofed links that look like they're the real deal, but they're not. The padlock sign is helpful, but you must be aware of how people spoof URLs.
This is an example of a correct URL: https://en.wikipedia.org/wiki/RuneScape
The most important part of this URL is the https:// protocol and the root domain, which exists of a domain name and the top level domain (wikipedia.org in this case). https:// is an extension of http:// that encrypts your communication protocol and will be used during tasks that involve sensitive information such as typing in your Runescape account details. Do NOT get tricked into thinking https:// automatically means that you're on the correct site. Owners of phishing sites can also buy certificates.
These are examples of spoofs:
https://en.wikipebia.org/wiki/RuneScape
Notice how the domain name has a b instead of a d.(edited)
https://en.wiki.pedia.org/wiki/RuneScape
Notice how the domain of the URL is different. The actual second level domain and top level domain (this is called root domain) would be pedia.org in this case. The wiki part would be what is called a subdomain. Subdomains can be created freely for any root domain. The / marks folders. Pay extra attention to what's left of the first /! That's how you can identify the root domain! The root domain for Runescape is runescape.com and nothing else!
Keep in mind that links can be disguised with hyperlinks. ALWAYS hover over links to check the real URL before clicking them!
Be especially cautious of phishing links through emails. You'd think that only Jagex could send you an email, but your email could be leaked. "Hackers" will spoof their email address as well to look like the real email address. You SHOULD have an email only for your Runescape account and that's why you can ignore any emails you receive on that email account. If absolutely necessary, Jagex will always contact you through their in-built mailbox system which you can check through your account settings. If you encounter fishy emails, change your account contact email information!
2.2.2: Social Engineering
Social engineering refers to psychological manipulation of people into performing actions or divulging confidential information. Do NOT accidently leak account information! Account information can be used to recover your account! "Hackers" will approach you with subtle questions like: "Hey man, nice account, that must've taken ages. When did you start playing?", "I love bonds. I can play the game without paying real money. How do you pay for the game btw?", "Damn, I see you online all the time, where are you from?" with the typical follow up question "Yeah I imagined, but where exactly in that country are you from?", etc. Especially streamers MUST be aware of social engineering.
2.2.3: IP Grabbers
IP grabbers are links that you're expected to click on immediately and are usually given to you via DMs. IP grabbers allow the "hacker" to grab your IP. Your IP is incredibly valuable information. By knowing your IP "hackers" know your ISP and your location, which is sensitive information that can be used to recover your account. They can also DDOS you and therefore prevent you from getting your account locked in time. Do NOT click on links from people you don't know! This also means, don't go to phishing sites and troll them with fake logins. They will compromise your IP.
2.2.4: Rats / Back Doors
A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over your computer. RATs are usually downloaded invisibly with a user-requested program (like a client or a game) or sent as an email attachment. Be very careful what Runescape related stuff you download! If you're ratted "hackers" are able to bypass all security measures. Once you've downloaded something Runescape related, perform a thorough virus scan on your computer before logging into the game again!
2.2.5: TeamViewer
TeamViewer is proprietary computer software for remote control, desktop sharing, online meeting, web conferencing and file transfer between computers. Never allow anyone to access your PC remotely through TeamViewer or similar software! TeamViewer scams usually don't result in your account being compromised, but rather strip you off your wealth on the spot.
2.3: How do people recover accounts?
"Hackers" abuse Jagex' questionable recovery system. First "hackers" try to get as much of your account information as possible. Most of your account information is easily accessible online or by socially engineering you. It's crucial that you don't share important account information! The absolute most important thing and your number one priority to keep hidden is your Runescape login name/email. "Hackers" can't do anything without knowing that. Ideally you never used your login name/email for anything beside Runescape and you've never been "hacked" before. If that's the case, congratulations, it's pretty much impossible to recover your account.
Sadly a lot of people didn't think this far and used their Runescape login name/email for a lot of different things. Websites get cracked all the time and it's possible that your login name/email is out there somewhere (you can check this yourself with various leaked databases). "Hackers" can't recover your account without knowing at least one previous password. So even if you've used your Runescape login name/email somewhere else, but you didn't use the same password, "hackers" won't be able to match the login name/email with the correct password and thus it's impossible to recover your account. It gets problematic when your Runescape name/email is leaked along with a password that you've used for your Runescape account before. It's important to note that if that's the case for you and you haven't changed your password yet, you should do that immediately. However, without knowing whose information this is "hackers" won't be able to recover your account. It may be possible to run scripts through leaked databases to try to log into Runescape accounts, but since you've changed your password, they won't be able to login. It's impossible to "hack" your account by only knowing your login email/name and one previous password. The real problem starts when this information can be linked to a user. Example: A streamer leaks their login email, therefore the "hacker" runs this email through leaked databases and finds a previous password. To recover your account the "hacker" only needs to find the other missing information and once the “hacker” knows who to target that's a lot easier than you might think. It's your job to keep your account information hidden at all times.
3: I got "hacked" what do I do now?
Get your account locked, scan your PC for viruses, recover your account, secure your account, submit a ticket to ask for account help and keep your account secure in that order. Note: If you aren't the account creator, don't even bother with trying to get "your" account back. You will always lose recovery battles in the future.
3.1: Get your account locked
Before you do anything else, get your account locked. If you suspect that your PC is compromised, ask your friends to get your account locked through social media (Twitter or Discord). Tweet @JagexSupport or ask JMods for help on Discord if they're online and during their working hours. I'm not entirely sure if bruteforcing bank pins is just a myth, but nonetheless there are only 10000 possible combinations and the longer a "hacker" is on your account the more tries they get. Do NOT submit a ticket to ask for account help before scanning your PC for viruses!
3.2: Scan your PC
Thoroughly scan your PC for viruses and remove them. If you suspect that you're ratted, but your anti-virus software can't find any viruses, de- and reinstall your entire system.
3.3: Recover your Account
https://support.runescape.com/hc/en-gb/articles/207217595-Hijacked-account Follow the instructions by Jagex and recover your account.
3.4: Secure your Account
This overlaps with what was already covered in point 1. Create a fresh Runescape only email address, put 2FA on it and set an authenticator, an entirely new password and a new bank pin on your Runescape account.
3.5: Submit a Ticket
People whose accounts were maliciously accessed run into the risk of being recovered in the future. People who got their account recovered already once are scared to get recovered again in the future. This feeling of uncertainty and fear is detrimental to your game experience. Just because you were able to successfully recover your account doesn't necessarily mean that your account is safe from future recoveries. Sadly human errors lead to people getting recovered again and again by using the same information over and over. It's likely that different Jagex employees will handle your account recoveries or the same employee doesn't remember your case. It's crucial that past malicious successful recovery attempts get noted on your account. You can directly contact Jagex' support team through a support ticket. https://secure.runescape.com/m=ticketing/account_help_2014_nologin?cat=5
Before you fill that out, ask yourself what information the "hacker" likely has and determine the information that's impossible for the "hacker" to know. Important account information includes: Your account creation date, your (creation) ISP, your IP, your payment method and any information regarding your previous payments, your country, your name, your postcode, previous passwords, previous IPs, previous ISPs and previous bank pins. Really spend your time on this. A lot of things can be leaked out there seemingly invisible such as your account creation date by checking when you were first tracked on CML or by analysing your Runescape Twitter. On the ticket under Additional information specifically explain your case and ask them to put a note on your account. Tell them the time frame of when your account was compromised, tell them what information is now permanently compromised and tell them what information is impossible to be compromised. For security reasons don't type out past passwords or bank pins on the ticket. Having this note on the account will not only remove the feeling of uncertainty and fear, but it will also rule out possible future human errors.
3.6 Keep your Account Secure
This was already covered in point 1, but I want to reiterate that a very important part of keeping your account secure is to change your password and bank pin periodically (like every month). This is especially important after your account got maliciously accessed or recovered. Just imagine being a Jagex employee reviewing a recovery attempt. When there are only 2 passwords on an account (one being compromised, the other one being the new one you set after you recovered your account or changed your password), you're more likely to grant a recovery request with that one compromised password compared to a recovery request where there's a long path of footprints of previous passwords which the "hacker" doesn't know and didn't provide.
NOTE: This guide IS NOT mine, i copypasted from OSRS gear discord.