Scam Prevention and Safety
General Safety Guidelines
Here are three general rules of thumb you should ALWAYS follow when trading on steam.
Always. Double. Check. Everything.
A common scam tactic (in real life too) is to create a sense of urgency. Don’t rush into any trades, and always exercise an abundance of caution. Verify who you’re trading with, their reputation, trade details, the items being traded.
In addition, you should pay extra attention to the mobile app's warning messages on every trade. It will warn you about a lot of suspicious activity such as cancelled trade offers.
Be wary of links:
Try to not interact with links, and if you do, type in the address yourself or carefully inspect the url for any abnormalities.
Never enter your steam credentials anywhere but https://www.steamcommunity.com
Many sites use steam to identify your account for various purposes, and phishing sites will ask you to sign in. A legitimate site will allow you to sign in without entering your username and password if you are already signed in on steam like the screenshot below.
These three simple things will protect you from 99% of scams out there. No reputable trader will get annoyed with you for taking a few minutes to verify everything.
The rest of this page will be dedicated to providing information about specific scam techniques and how they work. Hopefully the resources here help someone!
API/Phishing Scam
While the scam used to work using the API key, there is less account functionality tied to the key now (They cannot send offers for you anymore), so the methodology has changed a bit in recent times.
Today, scammers will use an active logged in session on your steam account (that you give to them when you log into a phishing site) to intercept outgoing offers. When you attempt to send an offer, they will quickly cancel it and resend one to a bot account where they will duplicate the name and profile picture of the original intended recipient.
How do I stay safe?
The best safety is complete prevention.
First and foremost, don’t log into fake websites. As mentioned in the general guidelines, I only ever enter my steam credentials on steamcommunity.com directly.
Even if the scammers do have access to your account without you knowing all is not lost., you can stay safe by staying vigilant with your mobile confirmations. Pay attention to yellow “SCAM WARNING” messages, double check the steam level, years, and friendship status of the intended recipient.
Re-securing your account
If your account is compromised, you’ll want to do the following steps in order.
Even if your account isn’t compromised by scammers, it’s good practice to periodically follow the steps below to maximize your security.
1: Sign out of all active sessions here (click Deauthorize all devices) https://store.steampowered.com/twofactor/manage
2: Revoke your api key here: https://steamcommunity.com/dev/apikey
3: Change your password