A scam is a confidence trick that involves a scammer tricking another player into giving away their valuables and/or personal information to them for any purpose that would be harmful to the victim. The primary motive for scamming is personal gain (such as sales of personal info), but in any case, it is a malicious act.
Scamming is considered to be a very widespread issue on Roblox. The admins have attempted to stop the most common scams by disabling comments on games, badges, and passes. However, developers can still enable/disable comments on clothing, Library assets, and UGC items. Additionally, games where the exchanging of items are frequent such as in Murder Mystery 2 and Adopt Me, as well as official exchange systems between Roblox players such as the limited trading system, are very liable to scams.
Examples of Scams
- "Icechewer1708s" SDK scam: This scam involves the perpetrator injecting a malicious DLL file into the Roblox game. The script would insert advertisements, infect scripts and spam the chat. Its surge started in September 2021, and shut down 2 Catalog Heaven servers. Icechewer1708 also was believed to DDOS the Roblox site unsuccessfully. Icechewer was not active around November 2021.
The following are common scams that involve Robux, via some form of on-site transaction, although they do not involve any phishing. These types of scams often cause the victim to lose substantial amounts of Robux, although the Robux may be recovered by contacting Roblox Support here.
- Classic defrauding: The perpetrator advertises a service or product for a fixed fee, usually sold through T-shirts.
- T-shirt scams: The perpetrator sells a fake T-shirt that would claim to give an expensive perk for a different game for a lower price or free. However, the shirt gives nothing, which wastes the victim's Robux.
- 'Get drawn' scam: A perpetrator runs ads on the site which claim to have victims' portraits drawn for a fixed fee. However, once the victim buys the product, the perpetrator refuses to do the job and may block the victim to prevent future contact.
- Fake passes: The perpetrator sells a pass that advertises special in-game features for the player. However, the promised features are simply not given once a user purchases the pass. These types of scams were commonly used by jaredvaldez4.
- Product scam: The perpetrator sells in-game powerups or items. However, they are sold as developer products, which, unlike gamepasses, will only last until the player's character dies or leaves the game, after which they are lost and they need to be bought again. This type of scam is commonly found in bait and switch games.
- "Invisible" shirt scam: A user publishes an advertisement that claims a certain piece of clothing will cause the player's avatar to become invisible. The clothing is instead simply transparent, which does not create an invisible avatar. If no preview is seen in the catalog for the item, the perpetrator may claim that the image is "broken" when in reality the image has been rejected by moderators.
- Save 10% scam: The perpetrator will tell players to visit their game, claiming that purchasing any item from their game will save the player 10%. However, buying from those games will give the owner of the game, the perpetrator, 10% of the price, and you will still have to pay the full price.
- Color-changing shirt scam: Similar to the "invisible" shirt scam, a scammer advertises a scam shirt, claiming that it's a GIF and it changes colour in any game. However, the shirt is simply nothing, and buying the shirt wastes the victim's Robux.
- Admin gamepass scam: This type of scam is commonly found in RPGs and copy-and-pasted obbies and tycoon games. The pass claims to give a broad range of commands to use. However, the pass either gives nothing or gives a couple of fun commands to use on the victim's self. This is often referred to as VIP Admin.
Phishing scams are scams in which the user is encouraged to give out their username and password in return for free Robux or Premium. Instead, the recipient of the sensitive information uses it to log in to the victim's account and lock them out, then wreak havoc on the account.
The thief usually changes the password and removes the email address to make account recovery hard.
Once an account is hijacked, it is added to a botnet and used to spread more scams and hijack more accounts.
- Avatar Model Scams: These are methods claiming that they are an account for a popular game for example "Jailbreak". They claim to be their "confidential" and "private" account. They will give you a YouTube link showing a "tutorial". These have a suspicious link to them, these are also given to players that have played Roblox and The game for a long time, They also say that They are updating The game and like to "include" your avatar in the thumbnail, These often go to Roblox messages, they also claim to give you a huge amounts of Robux, for a simple task, this already sounds suspicious, some get terminated decently fast.
- Login info via Roblox messages: The scammer messages a user and asks for their username and password in return for Robux or Premium. Instead the scammer uses the login information to hijack the account.
- Robux obby: An obstacle game is created promising Robux if the user can complete the obby and reach the end. At the end, the victim is prompted to enter their username and password to 'receive their rewards', but in reality, this is done to hijack the account. Do not play these games.
- Fearmongering: The scammer, impersonating an official at Roblox, messages a user, claiming they noticed a sudden rise in the account's value, or that they are removing inactive accounts. They then encourage the user to do something dangerous, like clicking a malicious link, showing a password reset email with the link visible or using the inspect element to pull a ROBLOXSECURITY cookie. This is done to hijack the account. These messages are spam and should be reported to Roblox and deleted.
- Login info via friend request: The scammer follows and sends a friend request to the user with usernames that persuades the user to click on their profile. The perpetrator's profile description contains an offsite link that will prompt the victim to input their login information, usually for a 'reward' of Premium or Robux. This scam is more effective than Roblox messages alone since users can limit the number of people who can message them.
- Login info via email: The scammer leaves comments asking for users to give account information to an email address, listing false reasons that can seem convincing to a newbie Roblox user.
- Login info via exploits: The scammer leaves comments directing users to a link that gives an exploit tool for the Roblox client, which will then ask for login info.
- Malicious programs: The perpetrator directs users to a link that downloads an executable program (.exe). These programs are often referred to as hacks or exploits. The program, when run, may install malware or log cookies.
- .ROBLOSECURITY scam: The perpetrator convinces a user that the .ROBLOSECURITY cookie must be given to them. Read this article for more information on the .ROBLOSECURITY cookie.
- AuthTicket scam: Similar to the .ROBLOSECURITY scam, the perpetrator gains access to a user's AuthTicket, required to join games and authenticate your user. If they were to get this, they could join games under a player's username with a simple batch command and buy in-game purchases without their knowledge.
- Copy as... scam: Another scam which involves the perpetrator tricking you into to go into the network section, refresh the page, and copy the whole page into a website which actually, steals your cookies and gives it to them.
- Fake websites: These fake websites have a login form and a domain name that looks very realistic but is fake and claims to give a fake reward that needs to be posted on several games. This just steals a user's log-in information and promotes the scam using the stolen account.
- Fake Browser extensions: After Roblox disabled comments on games and items, attackers created fake extensions that look legitimate, but after it is installed they steal a player's .ROBLOSECURITY cookie and their AuthTicket, and the extension will post the info to a web server or private chat channel.
- Botted Roblox Places: A Roblox place that tells the user to go to an offsite link that claims to give out free Robux or Premium, botted with bot accounts in the thousands in order to get the game on the front page, and sometimes botting likes. These games are usually taken down very quickly.
- Roblox-related advertisements: These advertisements promise things such as free Robux or Premium. They may redirect to another YouTube channel or a phishing site.
- Login info via chat: What it means is that a bot sends the player the friend request. If it gets accepted, they'll say scam messages. An example of this (Notice it was actually censored due to Roblox filter)
- Group Wall Post Scams: In some groups where the group wall is not really active, scam bots will raid the wall with scam messages which appear to be the same. Some groups make it so only higher ranks can post, to prevent bots (who don't promote themselves on groups) from scamming.
- Phishing GUI: Commonly found in fake "Free Robux" games, a realistic-looking GUI posing as a login screen or error will prompt the player to input their login information. The victim's login information will then be stolen.
- Free item scam: A user receives messages from friends or other random users saying "hey, if you use the code "(fake code)" on (scam website), you get a free (valuable item)". Visiting the site, users are shown a login screen similar to that of Roblox's official login site. If the user enters their username and password, their account will soon be hacked and looted for its Robux and/or limited items. It will also then be used to spread the scam further. See this video for more info.
- Guilt Scam: Commonly happens in large Discord servers with RoVer. They will pick a random person from the server who has their Roblox name as a nickname because of RoVer, then say that they lost that friend by accidentally deleting them, then claim that the account was hacked. Once the user friends them on Discord, they join a game. The scammer fools the victim by pretending to go on the website and randomly being logged out. They then claim that they were the victim of an account trading scam. They then guilt the user into giving them their password to "share the account". They claim they won't touch anything. Once the victim gives their password through Discord, the scammer unfriends them and steals the account. These scams can usually be as long as 3 hours!
- YouTube channel name scam: Found on YouTube. A channel, usually titled as: "Hi, I'm [random female name] if you don't mind check out my video" comments on a random small Roblox YouTuber's video, the comments made by these bots are typically random short phrases. Most of these scam channels were made in 2006, clearly indicating they're hijacked. Those channels have a shared video on their channel page which is a phishing one as you might already guess. They also make random hijacked accounts comment it's real to make it look legit, comments that aren't by the bots get automatically deleted.
- .HAR file scam: The scammer would contact someone (usually via Discord) to convince the user to create a .HAR (HTTP Archive File) file for the Roblox website to do something for the scammer. In reality, the created HAR file for the website contains all of the user's cookies and let the scammer gain access into the account via the user's .ROBLOSECURITY cookie.
- Spam Click Purchase Scam: A game makes you rapidly click a button. While clicking, a purchase prompt appears in the spot that you are clicking. The victim will probably be clicking so fast that they will unintentionally end up buying an item, usually a poorly made shirt for a 15-100 Robux price. A user is safe from this if they don't have any Robux.
- You Scammed Me Scam: This scam started in September 2020, where you will get a private message from a bot. The message follows the format of "You Scammed (friend or family member), LOL" (sometimes "LOL, NICE TRY"). The message body will say "Everyone knows what you did that day, it's everywhere. All your info in the video too. Emailed ROBLOX btw. Next time, try to keep it lowkey, there is a whole GIF of you doing it LOL, enjoy all your info leaked". The message would then have a link for people to copy and paste into the search engine browser, with the instruction to remove the space between . and com. This scam redirects users to a phishing site to where the "evidence" is, which then steals your Roblox account, and can put other accounts such as your Microsoft, Discord, Facebook, Twitter, Apple, Google, Amazon, and others at risk (if you register the same email for the accounts). These scams also say they have a video having all your personal information on the site with the GIF/video. Other message headers can be "WE'RE COMING FOR YOU, SCAMMER" and "DID YOU REALLY JUST SCAM MY COUSIN LOL"
- Profile link scam: This scam started in October 2020. It starts with a user getting sent a link through a private message on Discord that looks like a ‘link’ to the user's profile on ROBLOX, while it's actually an IP/cookie grabber.
- Hiring Testers scam: This scam started in May 2020. It starts with a user getting sent a message by someone. This message will tell you that testers are needed for their game and that they're willing to pay those testers and for people to be testers for their game, they need to press a link. If the player presses that link, their Roblox security will be revealed to people doing the scamming. Also most of these scam targets are older players who just started playing Roblox again.
- Play Button Scam: Scammers use glitches to hide the purchase prompt in a game. They are then able to trick a player into clicking something which, in reality, is actually clicking the invisible purchase button. This scam mainly targets high-profile players with large amounts of Robux, and the scammers are potentially able to steal millions of Robux from those players.
- Subscribe and friend scam: Scammers tell the scam victim to subscribe to their YouTube channel and friend them, usually to achieve a "free item". A link to the profile is in the description of a video on their YouTube channel, however the URL is slightly different from the official Roblox website URL. The site shows that you are logged out, and when the victim tries to log in, they will be sent to the real Roblox site, but instead their account will be locked with a PIN and the scammer will have the player's information. The scammer could try to join games and trade the victim's items to the scammer's account, or get the victim's personal information. This can happen on an unofficial trading website for Roblox players, where the site helps the user find trade offers for items in games such as Adopt Me, Royale High, Murder Mystery 2, etc. The trading site itself is safe and secure, and even the fake Roblox link says it's secure with the lock icon, but the fake site will steal your account and the only way to get it back is by contacting Customer Support.
- Free Robux generator scam: These websites are found on the Internet. They are usually found when someone searches 'free robux generator' on Google. How it works is it prompts the user to enter their username and the amount they want. After that, the site pretends to connect to Roblox servers and inject the Robux to the victim's account, but it is simply doing nothing. Once the fake generation is complete, the user will be asked to verify that they are human. This usually involves liking scam YouTube videos, or clicking on a bunch of ads. If the user does that, the site will do nothing, thus wasting the user's time and giving the scammers money through ad revenue.
- SIM swapping scam: This type of scam was used mainly during the summer of 2021. Basically, the hacker attempts to find any piece of information about you that can help them find your phone number and service provider. After that, the hacker attempts to contact your SIM provider and tries to convince them that your real SIM was stolen or overtaken by somebody else. The server provider may believe that, and disable the rightful owner's SIM card, give the hacker a new one, and that becomes a SIM swap. However, this is especially dangerous as the hacker will also have access to everything, not just your Roblox account, but also things such as your contacts, apps, passwords and banking information.
- PowerShell Asset Copier scam: If you go to an asset copier website, that claims to "download" a copy into the game. What you had to do is go to inspect element and copy your PowerShell on the game's website. This contained your .ROBLOSECURITY code, which made people access your account. Some videos actually show it downloading, but if you try it will 100% not happen.
These scams aren't as severe as other scams, and only waste people's time.
- Bait-and-Switch: BaS places are a type of scam where victims are teleported to another place to gain place visits and formerly Tickets. They use a mock-up of a popular Roblox game, such as Adopt Me or Pinewood Computer Core. When the user plays the game, they are redirected to some generic obby or tycoon game, thus giving visits.
- Livestreams: Fake YouTube live streams are set up and promise viewers free Robux. The livestream uses bots as moderators that do things like mute users that say the stream is fake. They typically make viewers spam the chat with fake admin commands like '!robux'. They usually redirect to fake generator scams. They loop clips of the scammer giving Robux out to viewers and begging for likes and subscribers.
- Finish for a surprise: Often seen in bait-and-switch obbies, the perpetrator will put a massive header at the top of the screen saying 'FINISH FOR A SURPRISE!'. When the player finishes the obby, they will get redirected to a different obby, or be encouraged to restart the obby for a free gear or admin commands.
- Only 1% have ever beaten this game: Similar to the "Finish for a surprise" scam, the scammer will put a massive header at the top of the screen saying 'ONLY 1% OF PEOPLE HAVE EVER FINISHED THIS OBBY!'. Most of these games will encourage people to buy overpriced items that only last one life or until they leave. Once the user finishes, they will simply be redirected to another game, be encouraged to restart the game for, like before, free gears or admin commands.
- There is a crazy glitch at my place: This scam is the oldest scam on Roblox. Scammers advertise their clickbait game, saying there is some crazy glitch in the place. However, the game is just nothing, a baseplate or a starter place, and thus give nothing, wasting victims' time.
- Spam Comments: Players will ask to copy and paste a certain message on a number of items in order to win something, of course doing so will grant nothing, this is a popular soft scam. The most common ones are "/e free" on items with comments enabled and "/e equip" on decals, meshes, and models that look like clothing assets.
- Meme Games: Certain games that copy the description and thumbnails. But when the games are played, the user will be presented with image spam. Most notably, Stickbug, Henry Stickmin Distraction Dance, Rickroll, etc..
- "Robux for pet scam:" In this scam, children are usually the ones to fall for this. First, a player must encounter a gullible player with good pets. Then, the player will bait the gullible saying that he will give an impossible amount of robux that can only be obtained by either selling clothing (usually 1M or higher). Then the gullible player falls for it then gives the pets. The scammer will leave. Usually happens in simulators where pets are depended on for higher stats, etc. This can also happen in games like MM2 where people will try and trade someone with valuable knives or guns and attempt to remove their offer last second.
- I'm Making A Group Softscam: A harmless variant of the "Im Making A Game/GFX scam". The scammer will ask you for a model of your character, and will ask for it in a .zip to put in a group image or game image and be awarded with commissions. Once the scammer receives the model, they will block the victim.
Do not visit links that claim to give free Robux!
A scam bot is a common nickname used to describe automated accounts that spread messages attempting to lure players to unsafe websites in order to steal their Roblox credentials or other valuable information for their owners' personal uses. A scam bot may message you if you have messages opened for anyone.
These types of bots have been around on Roblox for years, however certain economy-related changes such as the removal of Tickets have been a catalyst for their rapid rise in recent times. In 2017, a default girl user bot had been sending messages or friend requests to random people. Their blurb usually says "I'm a girl and I love playing roblox and I'm looking to make friends ;)".
Between 2017 and 2018, they often followed a very basic avatar style and were also seen wearing free items such as The Bird Says and some random Classic T-shirts. For a brief period in 2018, they used the default sign-up appearance, but soon after began to wear clothing in the style of the official Roblox account. In 2019, they have used the appearance of accounts stolen through a phishing method if a user accessed a scam site posted by a scam bot.
Aside from posting comments, some scam bots are also able to follow and send friend requests to mass amounts of players in order to extend their reach and get the player to go to their site, and they may occasionally join random free-to-play game servers to send a scam message in the game's chat before leaving a few seconds afterward. On popular front page games such as Jailbreak or Adopt Me!, they will quickly join and leave after posting a scam message such as "I just got tons of Robux by visiting [scam site]!", or something else to get more victims.
Initiatives by Roblox to lessen the impact of scam bots were put into place, such as forcing all users to complete a CAPTCHA before signing up or posting on group walls. The current captcha is not helping to prevent these bots from being created and no one has seen these bots pass a Google reCaptcha test.
Between 2018 and 2019, scam bots were more actively seen on third party sites, such as Discord and YouTube (where both videos and ads were mass uploaded), as a method to avoid Roblox moderation. These bots appear to have slowly stopped appearing and many are being banned by YouTube and Discord on their respective platforms.
From mid-2020 to the present, scam bots are getting more realistic, acting more like an actual player on Roblox. They do this by doing multiple lines, which can be often made to seem like it is actually real when in reality, it is really a scam bot. They will act like a real player saying some stuff related to the scam, and then they will actually say the link. Chatbots are bots that visit 3/4 places, leave spam related to the scam then leave, and they are very similar to scam bots. They are very common as of 2020. Lespcats/Accobests are bots that seem to be advertising the same exact scam site that frequently changes its name.
Types of scam bots
These bots will spam in-game chats, group walls and Roblox website chats with links that redirect users to a scam website or scam experience, and have different ways of spreading. As of 2022, Roblox has managed to slow the process these bots from being created, as these bots were easily identified as newly created Roblox accounts that were only used for a short period of time.
- Generic chatbots - These bots flood in-game chats, website chats and group walls with links to scam websites or scam experiences.
- If a website is promoted by chatbots, it usually consists of a website prompt asking for the amount of Robux to be "given" to the player, including an optional "Premium membership". Once the data is entered, the website will pretend to connect to Roblox servers to "inject" the Robux into the user's account. Before any Robux can be "claimed" by the end user, the website will innevitably ask the user to complete a survey to "prove" they are not a robot. These surveys are used to harvest personal details and/or profit from the website in the short time it is up.
- If an experience is promoted by chatbots, it usually consists of a simple obby or a short path, eventually leading to a specific object, that can somehow "award" the player Robux. Once this object is interacted with, a fake login GUI will appear. If you enter sensitive data into the prompt's "Password" section, the data is collected and can be used to compromise your account.
- Chatbots can be categorized by a username that usually consists of the following:
- Random string of characters
- Realistic username followed by random string
- (specific name)_(string)
- Trump chatbots - These bots were active during 2020, in the leadup to the 2020 United States Presidential Election. These bots (identifiable by the username pattern "Trump2020_" followed by a string of characters) would enter games and encourage users to vote for Donald Trump, the Republican Party candidate for the election. These bots were terminated quickly, leading to a few bots being barred from creating new accounts. After the election, these bots died out.
- Bible chatbots - These bots would flood chats with random passages from the Bible.
Most of the other types of bots consist of spam on other public message boards (such as YouTube video comment sections), but there are exceptions.
- YouTube bot - These bots revolve around Robux discussion and playing Robux scam games (as mentioned above in the "Group bot" section). These bots usually include a randomly generated timestamp in their comment and often include quotation marks. Some bots use a comforting message in another language.
- Follow Bots - These bots would flood user follow lists. As they could be easily identified (usually having a username consisting of "checkmyprofile" in a variation of Leetspeak, followed by a random string of characters), these bots would be terminated quickly. This type of bot was relevant from 2017 to 2018, but would soon die down.
- Model Purchase Bots - These bots mass-buy free models from the Roblox Library.
If a player is scammed
If a user suspects their password has been shared, they should immediately do the following:
- Change their password to something new, unique and hard to guess.
- Use the secure logout feature
- Enable 2-Step Verification
- Create an account PIN
- Create a new .ROBLOSECURITY cookie
If a user has downloaded phishing software, they should follow the above, and also:
- Uninstall the software immediately
- Erase any and all cookie loggers
- Run a full Antivirus scan (can be done with Windows Security (bundled with Windows 8 (as Windows Defender), 10, and 11), Microsoft Security Essentials (available for Windows Vista and 7, similar UI to Windows Defender in Windows 8) or other free alternatives, such as Malwarebytes)
If the user's account has been compromised within the last 30 days, they can contact Roblox Support for a one-time recovery of stolen inventory items and Robux.
- Avoid passes in bait and switch games. These usually last until the player dies or leaves the game, thus tempting the player to purchase them again if they want to continue using it each time.
- If an item seems very powerful, costs a lot, and is a product, avoid it at all costs.
- If no or little users have bought a VIP shirt or a pass, users are encouraged to avoid purchasing it until more users have done so, to verify it is legitimate.
- If the item's comments are not disabled, read them to see if any other users say whether the item is legitimate or not. Note that the perpetrator may have made alternate accounts (or compromised other accounts) to promote the said scam, so check for accounts that claim it's a scam.
- To prevent falling victim to portrait scams, check the scammer's inventory for any stolen artwork. In addition, a user can check to see if the total amount of drawings in the seller's inventory is fairly close to the total number of "get drawn" assets sold; any huge discrepancies in the total number of people drawn and assets sold hints towards a portrait scam.
- Some scammers have their names listed on alternative accounts' descriptions stating they are scammers. While this is not always the case, if there are a large amount of these accounts, this is something to be wary of; try avoiding these users. The only way to ban scammers is to poison ban the scammers. This terminates the bot, and disables account creation. The bot's associated accounts are also terminated.
- Avoid programs and websites not created by the Roblox developers that ask for login information. Similarly, avoid downloading unknown/unfamiliar files (particularly .exe programs), and never run any program with admin privileges unless they can be verified as legitimate.
- If someone asks the user to send them specific lines of code from their browser or client, they are strongly advised to not follow through as certain snippets of code can be used to get into the user's account, such as their .ROBLOSECURITY cookie.
- Avoid YouTube comments that promote free shortcuts to paid services, such as Premium and Robux, and YouTube videos that ask players to like and subscribe in order to get free Robux, or be entered into a giveaway to obtain Robux. These are always fake and often are made to expand a video's reach and get subscribers. The same can be said for Twitter accounts who claim to do so too.
- Avoid any game that uses the name "Robux", "Robucks", or anything similar, and have the Roblox logo or the Robux icon as a picture and have more players "playing" than "visits". These places are always scams.
- Specific to the Profile Link Scams, check EVERY character of the link to be sure it is a valid link (it should be https://www.roblox.com or https://web.roblox.com). Some links use wwv instead of www, or roblox-web instead of roblox. A normal profile link would look like this: https://www.roblox.com/users/USERID/profile (with "USERID" being the player's ID)
- You can easily determine a bot if it uses free items, has an unoriginal/repeatable username or joins a game and immediately floods the chat with a message that has caps and/or emojis.
- If someone claims to be an administrator, ask who they are. They will most likely claim to be the official Roblox account (despite being a shared account), builderman or david.baszucki. Next, check their profile for the badge. If they do not have it, they may claim they are using an alternate account (There is no reason for this and they are certainly lying).
- In general, if something seems too good to be true, it most likely isn't true. Users are encouraged to not let their personal desires be easily manipulated, as most scammers often rely on victims making impulsive decisions after seeing or hearing about something they want.
- Developers can implement this script by callmehbob that blocks the scambot's message that appears like it never existed, but add common links like those starting with "blox" to the blacklist under BadWords.
- Developers can also create scripts that either prevent users from chatting until they are in game for a certain amount of time or require the account to be a certain amount of days old (30 days recommended, which can bar off the game from newly created accounts from genuine users)