“Free Robux” and the scams aimed straight at your tween

Why tweens are the highest-targeted age band

Three things make 9–12 year olds the perfect mark for kid-flavoured financial scams:

1. They have account access — to Roblox, Fortnite, Discord, sometimes Apple ID — but not the financial literacy to know what those accounts are worth.
2. They have weak password habits — same password across sites, no 2FA, sometimes a saved card on the account.
3. They’re embarrassed to tell.A 5-year-old runs to Mum at the first scary pop-up. A 10-year-old who got phished “feels stupid” and tries to fix it themselves.

That third one is the dangerous one. The whole defence in this guide is about keeping the “tell a parent” reflex alive through the awkward years.

The five scams currently in rotation

These are the scam patterns my own kids have seen in the last six months — across Roblox, Fortnite, Discord, TikTok, and YouTube. Read them with your tween; ask after each one if they’ve ever seen something like it.

1. 1

   The free-Robux / V-Bucks generator

   Pattern:Website or YouTube video promising free in-game currency if the kid "verifies" by entering their account login. Login is then used to drain Robux, lock the family card, or sell the account.

   Red flag:Any site asking for the game login outside the official Roblox / Epic / Microsoft sign-in screen. Real currency is never given away by random sites.

   Defence:Family rule: account credentials never go anywhere except the official app. If a friend, a video, or a website asks for them — it's a Crook.

2. 2

   The Discord / WhatsApp "trade-up" DM

   Pattern:Stranger DMs claiming to be a fellow Roblox / Fortnite player offering a high-value item trade. Trade window flips at the last second; kid loses their items. Sometimes escalates to credential phishing.

   Red flag:Anyone DM-ing your kid who isn't already a real-life friend. Especially anyone offering a trade that sounds too good.

   Defence:Trade requests off in-game (see the gaming guide). DMs locked to known contacts on WhatsApp; DM spam filter on Discord.

3. 3

   The fake gift-card code

   Pattern:TikTok / YouTube short shows "working iTunes / Roblox / Apple / Steam codes" and tells the kid to enter them. The codes don't work — but the site collects whatever the kid types and tries it on real accounts.

   Red flag:Any video or post offering bulk codes. Codes that worked publicly would have been redeemed in seconds.

   Defence:Family rule: gift cards are bought from a real shop or a real account billing page. If the kid types a code, it's into the real app — never into a third-party site.

4. 4

   The account-recovery impersonation

   Pattern:Email or in-game message claiming to be Roblox / Epic / Microsoft "support" — your account has been flagged, click here to verify. Phishing site harvests the password and 2FA code.

   Red flag:Any unexpected security email asking the kid to click a link. Real Roblox / Epic / Microsoft never email kids individually about account flags.

   Defence:When in doubt, the kid forwards the email to you. You log in directly via the app (not the email link) and check the account settings.

5. 5

   The streamer / influencer giveaway

   Pattern:Fake account impersonating a popular streamer (e.g. "Real_Sketch_Giveaway") DM-ing kids who follow the streamer with "you won! Click here to claim". Account-takeover or financial-info phishing follows.

   Red flag:DMs from creators the kid follows but didn't enter a real giveaway with. Real giveaways happen on the creator's main channel, not in random DMs.

   Defence:Family rule: a kid who didn't enter a thing didn't win it. Block + report fake-creator accounts immediately.

The four rules that block 90%

Don’t try to teach a 10-year-old to recognise every scam variant — there are hundreds and the templates change weekly. Teach four rules that defang almost every pattern. Drill them at the dinner table this week.

1. Rule 1

   1. Logins never leave the official app

   Roblox / Epic / Microsoft / Discord credentials are typed only into the official app's sign-in. If anything else asks — it's a phish. No exceptions, even for "trusted" friends.

2. Rule 2

   2. Money goes one way

   Kids never give an account login, code, or card detail to get something free. Real earnings (battle-pass rewards, in-game cash) are inside the game. Anything outside is bait.

3. Rule 3

   3. Trades only with people we've met

   Item trades, account swaps, currency loans — only with kids the family has met in real life. Trade requests off by default in-game (see the gaming guide).

4. Rule 4

   4. Surprise = stop + screenshot + show

   Any unexpected DM, email, or pop-up about the kid's account: STOP. SCREENSHOT. SHOW a parent. Same body-rule as the under-8 guide, just with more steps.

Tonight: 4 things to set up (15 minutes)

Each of these takes 3–5 minutes. They’re the structural defences — the things that work even if your kid forgets the rules in the heat of the moment.

1. Turn on 2FA on every game account.Roblox: Settings → Security → 2-step verification. Epic / Fortnite: Account → Password & Security → Two-factor. Microsoft / Minecraft: account.microsoft.com → Security → Advanced security. Use your phone or an authenticator app — never SMS-only.
2. Kill saved cards on the kid’s account. Open Roblox / Epic / Microsoft billing → remove every saved card. Top-ups happen on a parent device with a parent tap. Yes, this is friction. The friction is the point.
3. Lock down DM exposure on Discord + WhatsApp.Discord: User Settings → Privacy & Safety → set DM Spam Filter to “Filter all DMs”, and turn off “Allow direct messages from server members” on each new server. WhatsApp: Settings → Privacy → Groups + Calls → My Contacts (the tightest tier WhatsApp offers).
4. Drill the “screenshot + show” reflex.Send your kid a fake-Robux screenshot from a Scamwatch alert, ask them what they’d do. Practising once with a known-fake means the real one feels familiar.

What to say (in order, in the moment)

Three lines for the “Mum, I think I just got scammed” conversation. The order matters — praise first, fix second, debrief later.

1. 1

   "Thanks for telling me. That's the bravest move you could've made."

   Why:Kids this age expect to be in trouble. Praise the disclosure first, before any other word, or they'll never tell you the next one.

2. 2

   "Show me what you saw. We'll work it out together."

   Why:Sit beside them, screen on. They walk you through it. You stay calm. Whatever happened, it's fixable.

3. 3

   "Let's change the password and turn on 2FA right now."

   Why:Action immediately = restored sense of control. Don't lecture about the cause until later — handle the fix first.

If they already got caught: the recovery checklist

In order. Do all six within the first 24 hours.

1. Change the password on the affected account from a different device (not the one that was phished).
2. Turn on 2FA on that account immediately.
3. Change every other account that shared the same password.If Roblox and the kid’s email used the same password, both are gone. Use a password manager from now on.
4. Check the linked card in the account billing. Remove it. Watch the bank statement for the next 30 days.
5. Use the official recovery flow — see Roblox’s My account was hacked — what do I do page, the Player Trading Scams guide, and the broader Scams, Hacking and Hoaxes section. They restore stolen items if you report fast. Epic Games Player Support + Microsoft Account Recovery handle the equivalent flows for Fortnite + Minecraft.
6. Report itto Scamwatch + ReportCyber (links below). Doing this is the only way the AU government keeps stats on what’s targeting kids.

What to avoid (please)

Reporting + getting help (Australia)

• Scamwatch (ACCC)

  Report any kid-targeted scam — fake-currency generator, phishing DM, fake creator giveaway. Adds it to the AU national scam list.

• ReportCyber (ASD)

  Use if you actually lost money or had account takeover. Routes to the relevant police jurisdiction.

• Kids Helpline · 1800 55 1800

  Free, 24/7. Counsellors trained for ages 5-25. Excellent for kids who feel stupid or embarrassed about getting scammed.