The push to virtual items in games such as Team Fortress 2 or Dota 2 has led to an increase in phishing and scamming activities on the Steam gaming platform. Some virtual items are worth hundreds of Dollars and while that is the exception, items do sell for anything between a couple of cents to more than thirty or forty Dollars.
It is necessary to distinguish between phishing and scamming attempts even though they usually have the same end result: an empty inventory.
Phishing is probably the more common attack on Steam. It is not carried out via email usually but via messages. This can be a direct message on Steam to another user, or a link that gets posted on third party sites that Steam users click on.
A basic example are sites where users make item trade deals such as TF2 Outpost. Attackers post links that look as if they are leading to an official Steam website, e.g. Steamcommunity.com, but are not because the url is slightly changed by them.
If you sign in on those fake sites, you submit your username and password, and maybe even the Steamguard code, to the attacker who can then use the information to quickly log in on the real Steam site to modify account data or move out all of the items of value from the inventory.
This leaves a trail for obvious reasons, as items can only be transferred to other Steam users. That's however often circumvented by selling the items for real money on third party sites.
Scamming may be linked to phishing, but it is not the same. It can happen that you trade with someone who just hijacked an account. This is often an item for money type of transaction that is initiated on third party websites. You basically get the items that the "scammer" offers and pay by PayPal or other means for it.
A rarer case happens when you trade with someone on Steam directly and get convinced that you will get another item later on that you then never get.
Scamming can also happen when you buy a CD-key from someone, and that someone files a support request on Steam to regain back that game giving Valve proof of purchase by taking a picture of the original box or receipt.
Anyway, if you receive items from an hijacked account, you may lose those items once Valve restores the original account owner's access to it.
It is important to follow a couple of a rules when you trade to reduce the risk of being scammed or phished.
Never ever click on links that other users post. There is not really any need for that at all. If you want to check out a user's Steam profile, open the Steamcommunity website manually and enter the player's name or ID in the search field directly. Note that this includes link in messages, in emails, forums, and on third party websites.
Never reveal your username, password or Steamguard code to anyone. This should be pretty obvious but some users may need a reminder that doing so gives another user full access to their account.
Always check to make sure you are on the right website. Check the address before you enter your login information on a website. When in doubt, close and reopen the site manually in your browser of choice. You may want to use a password manager that enters login information automatically when you are on the right side. If no login information are entered, you know that you are not on the right website.
Use SteamREP to look up a user's trade history. SteamRep is a community driven database that enables you to check Steam IDs, custom urls and PayPal email addresses for scam traces.
What's interesting in this regard is that it displays the profile's trade ban status, links to all relevant profiles, search engine queries to find out more about the profile, and information about friends.
While there is no guarantee that you will uncover scammers using the online tool, it is definitely worth a try.
Scammers are highlighted automatically by the service. If available, additional information are provided including the number of friends who are listed as scammers, and known alts.
Use different secure passwords all the time. Make sure you use different password on Steam, for your email accounts, and other accounts that may be associated with Steam or trading.
If you have been scammed or hijacked on Steam, you need to spring into action immediately to resolve the situation:
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.