This is a friendly reminder on how to keep your account secure. Lately, we have been investigating reports of fake Roblox phishing links directing users off-platform. Phishing is when an attacker sends a fake message attempting to trick a user into sharing important account or personal information. As an important reminder, you are one of the best defenses your account has. Be cautious, be safe and make sure to remember these important tips:
Never click on links or give your Roblox login credentials on sites you do not recognize. When you log in, ensure you are logging into Roblox by verifying the URL in your browser (see the attached image). Roblox platform links will always start with www.roblox.com (not www.roblox.com.tz or any other variation).
Do not click on any links or give credentials to any site advertising free or discounted Robux.
If you ever receive an email from an account that looks like Roblox, check if the sender email address is â@roblox.comâ. If it is not an â@roblox.comâ email address, you can contact our Customer Support team at www.roblox.com/support to check or alert them to a suspicious email.
Never share your screen with others while you enter or change any login credentials.
Roblox moderators and Customer Support will never ask for your password, 2 Step Verification code, screen share or use of a 3rd party app/browser extension to access your system, so do not share with anyone requesting this information.
Add additional layers of security to keep your account secure:
Passwords should be a mix of special characters, numbers, and lowercase/uppercase characters that is longer than at least 15 to 25 characters. They should also be unique (ie. not âpassword123â or âabcdefgâ).
Consider utilizing a password manager so you never have to reuse passwords.
Remember to follow these tips even if a message is coming from a friend or friendly face. If a family or friendâs account is compromised, phishers can use that connection to phish or gather more information about you. If you would like to learn more about this, check out this article: Keep Your Account Safe - Roblox.
So one major motivation that thieves have to breach into usersâ accounts is the large amount of valuable limited items that we have in our inventories. Over the years, as limiteds have grown in value, this has only made it more and more rewarding for anyone successful in breaking in. David Baszucki recently mentioned in an interview that âthere are items on Roblox worth twenty thousand dollarsâ. There are sites out there which will let you see, at a glance, which users have the most valuable inventories across the platform.
While weâve seen occasional updates to trading over the years, I believe thereâs still a lot of room for improvement. We donât even have the ability to require a 2-factor confirmation when accepting trades, something Steam has had for years at this point. Will we be seeing improved security for buying and trading items in the near future?
Thank you! Thereâs been a crazy amount of accounts stolen because of these reasons, and all you need to do is take a second to set up 2 factor authentication or get a password manager to properly secure your account.
Just a suggestion, maybe lock accounts if a login was done by an unknown IP (one that you havenât used)⌠And if youâre trying to login from a new address, send an email confirmation?
Also move the site report somewhere else other than DMCA as not many people will know where it is
Something else I want to point out, since this has happened in the past:
Got an â@roblox.comâ email that looks illegitimate? If you use an email client that is capable of showing the email headers, you can confirm validity by checking to see if the header contains a âReceived:â tag that starts with â##.email.roblox.comâ. This header is incredibly hard to fake.
If you use gmail, hereâs how to check:
Open the email
Click the Three Dots menu
Click âShow Originalâ.
In the new window that opens, search for a âReceived:â tag that includes âemail.roblox.comâ
Foldout: Here's an all-in-one picture that demonstrates the process, highlighting the tag you want
Sorry if this is off topic but Iâd just like to say that account security goes farther than just securing the log-in. You have to consider that an accountâs Robux, itâs most valuable asset, can be exchanged with just a click.
Purchases are currently not secured at all, it only takes 1 click to completely drain your account in some cases. Incidents in the past where users were able to hide the prompts and get people to click showcase how damaging this is.
You should seriously consider options to make purchases more secure. Maybe a 2FA for large purchases or a captcha to ensure that the purchase is intentional. Many people lose Robux without having their accounts compromised because of flaws with the purchase system.
Attackers will always target the weakest link in the account security chain, and Roblox has serious work to do on purchase prompts.
This functionality doesnât exist on the default Gmail mobile client, but there are alternatives that let you do this. My preferred is Aquamail (Google App store only, unfortunately)
It still doesnât let you see the original headers, but you can âfavoriteâ a sender, which as far as I can tell, uses those specific headers (i.e. you can favorite something from internal email address that wasnât meant to be a link, oops instead of just @roblox.com)
One recent scheme going on involves âwanting to use your avatar for a render.â This was attempted on me twice within the last week. I knew not to use the Chrome extension thing or whatever it was they wanted me to use and got a .obj file of my character safely. I got no response from them after sending it during the first attempt. The second time, I shut it down fast and moved on.
Remember not to use any special downloads anyone may suggest! If you canât use Roblox itself to do something, itâs best not to do it at all.
Iâd also like to point out that attacks that can successfully fake an @roblox.com email address are rare, since Google has implemented so many security controls on SMTP headers that itâs almost (but not) impossible to pass all the checks successfully. Even then, youâd still basically be blind-firing since youâd have to give up useful things like read receipts and Reply-To (meaning you wonât receive replies)
When will Roblox remove the 14 days wait period for groups and instead require 2 factor authentication check to be completed before Roblox completes the payout transaction?
Also when will trading and purchasing high value items require 2 factor authentication check?
Please add mobile 2FA support for Windows 10. Itâs ridiculous that I have to turn it off, log in, and turn it back on again, just to use the Win10 client.
Also, some sort of automated system for detecting PM scams would be great. There was a point where I was receiving this type of message daily, with little variation. It seems to have stopped now, but I have no doubt that these PM bots will become a thing again in the future.
Thereâs also the classic scam where someone tells you your account got flagged for âunauthorized purchasesâ, and that theyâre a special power user within Roblox and you must contact them to get things taken care of. I was getting those daily too, and they were through Roblox PMs. The user would buy an old account to send these PMs to try and seem more legitimate, which would end up getting locked or terminated.
Maybe it could be implemented like the pin so you can pay out for 5 minutes or lock it early.
It might be annoying but needed. It could also be opt in as long as people know about it.
Same for purchases in my opinion.
I would recommend using the website version it supports vip links and also recording.
And at least in my experience itâs also way less laggy.
But I agree with you such basic feature should work properly.
Some people prefer the Windows 10 client you know. Plus, I find Roblox recording quite depressing (idk why) so I would choose Nvidia Experience or whatever AMD and Windows offer
And yes, they should really implement 2FA for the client
