Steam: How to protect yourself against phishing and scamming
The push to virtual items in games such as Team Fortress 2 or Dota 2 has led to an increase in phishing and scamming activities on the Steam gaming platform. Some virtual items are worth hundreds of Dollars and while that is the exception, items do sell for anything between a couple of cents to more than thirty or forty Dollars.
It is necessary to distinguish between phishing and scamming attempts even though they usually have the same end result: an empty inventory.
Phishing is probably the more common attack on Steam. It is not carried out via email usually but via messages. This can be a direct message on Steam to another user, or a link that gets posted on third party sites that Steam users click on.
A basic example are sites where users make item trade deals such as TF2 Outpost. Attackers post links that look as if they are leading to an official Steam website, e.g. Steamcommunity.com, but are not because the url is slightly changed by them.
If you sign in on those fake sites, you submit your username and password, and maybe even the Steamguard code, to the attacker who can then use the information to quickly log in on the real Steam site to modify account data or move out all of the items of value from the inventory.
This leaves a trail for obvious reasons, as items can only be transferred to other Steam users. That's however often circumvented by selling the items for real money on third party sites.
Scamming may be linked to phishing, but it is not the same. It can happen that you trade with someone who just hijacked an account. This is often an item for money type of transaction that is initiated on third party websites. You basically get the items that the "scammer" offers and pay by PayPal or other means for it.
A rarer case happens when you trade with someone on Steam directly and get convinced that you will get another item later on that you then never get.
Scamming can also happen when you buy a CD-key from someone, and that someone files a support request on Steam to regain back that game giving Valve proof of purchase by taking a picture of the original box or receipt.
Anyway, if you receive items from an hijacked account, you may lose those items once Valve restores the original account owner's access to it.
Steam trading rules
It is important to follow a couple of a rules when you trade to reduce the risk of being scammed or phished.
Never ever click on links that other users post. There is not really any need for that at all. If you want to check out a user's Steam profile, open the Steamcommunity website manually and enter the player's name or ID in the search field directly. Note that this includes link in messages, in emails, forums, and on third party websites.
Never reveal your username, password or Steamguard code to anyone. This should be pretty obvious but some users may need a reminder that doing so gives another user full access to their account.
Always check to make sure you are on the right website. Check the address before you enter your login information on a website. When in doubt, close and reopen the site manually in your browser of choice. You may want to use a password manager that enters login information automatically when you are on the right side. If no login information are entered, you know that you are not on the right website.
Use SteamREP to look up a user's trade history. SteamRep is a community driven database that enables you to check Steam IDs, custom urls and PayPal email addresses for scam traces.
What's interesting in this regard is that it displays the profile's trade ban status, links to all relevant profiles, search engine queries to find out more about the profile, and information about friends.
While there is no guarantee that you will uncover scammers using the online tool, it is definitely worth a try.
Scammers are highlighted automatically by the service. If available, additional information are provided including the number of friends who are listed as scammers, and known alts.
Use different secure passwords all the time. Make sure you use different password on Steam, for your email accounts, and other accounts that may be associated with Steam or trading.
Scammed or hijacked?
If you have been scammed or hijacked on Steam, you need to spring into action immediately to resolve the situation:
- Try to figure out what just happened, e.g. did you provide a third party with login information, did you fall pray to a phishing attack or have you been scammed?
- You need to prioritize your actions depending on this.
- If someone else has your account information do the following: If you used the same password on another site, change it immediately. Contact Steam Support and write a detailed account of what just happened. Make sure you are specific as possible and include all relevant information (e.g. Scammer PayPal email address, Steam ID of account, what you did, what the other did, when that happened).
- If your account got compromised on a third party site and you cannot regain access, contact support or an admin there to inform them about the situation.
- Try to contact all your Steam friends and tell them about the hijack so that they are aware that you are not in control of your account.
- If you are using a site like SteamREP, file a ticked there to mark the account as hijacked so that other users know about it.
- If you are unsure how you got scammed, download antivirus software like the free Malwarebytes Anti-Malware Free and give your system a thorough scan (full scan) to make sure you have no virus on.