If you have ever tried to send some items to someone on Steam, but the items went to a different Steam account, you most likely have been a victim of a phishing scam. Many people tend to confuse it with API-scam, but the outcome is very different.

This post is very informative in regard to how to spot if you have been compromised, and how you can prevent becoming a victim of a phishing scam. We advise you to read the whole blog post.

Why many people mix up Phishing scam with API-scam

To get a better understanding of why people tend to mix up these two scams, we will have to go back in time to the year 2017. This is the year we first became familiar with the term “API-scam”. If your API key was compromised, what would happen is that you would receive an offer from someone on Steam for one or more of your items. Once a script detected this through your API key, they would cancel the tradeoffer and make another tradeoffer from a bot that had copied the account details of the first person who sent the trade.

Let us skip forward to March of the next year, 2018. Valve implements a 7-day trade lock on all items traded on Steam. In the weeks and months after this update, multiple CSGO sites of all sorts began to change from their usual setup of storing items on bots to P2P as we know it today. As you might know, you have to provide your API key in order to use P2P sites, so this was great news for the scammers, as more people would learn about the Steam API key without knowing what could happen if it would be compromised. Therefore, API-scams began to blow up and more users than ever became a victim of an API-scam.

Since then, people have used the term “API-scam” on every occasion where skins you meant to trade to someone were sent to a bot - we advise you to start using the term “Phishing scam” as using “API-scam” is misleading and creates a lot of confusion, most likely ending in people thinking they no longer are compromised, however, the reality is that they are more compromised than they think.

API-scams are not happening in 2022. Why? They are not effective.

Yes, you read it right. API-scams are not happening in 2022. Here is why:

• Steam has made changes to its API. This means you are no longer able to cancel trades by only having the API key. This makes it very easy to spot if you have been compromised, as you would see multiple trades for the same item when checking your incoming offers.

• People tend to be more aware of what to look out for when accepting trades. If someone were to become a victim of an API-scam in 2022, they would most likely check the Steam level, and notice it was wrong already when accepting the offer, while you can only spot it when confirming the offer on your phone, if you are a victim of a phishing scam."

What is a phishing scam, and how do you get phishing scammed?

A phishing scam is essentially a hack of your account, however, in most cases of phishing scams, the hackers do not have full control of your account. You are still protected by the Steam Guard Mobile Authenticator (as long as you have it activated), and that is why you only fall victim to this scam when trying to send a trade. More on that later.

Hackers will get access to your account by creating a fake Steam login page. When you type in your Steam credentials, it will request for you to type in your Steam Guard code. Once you type in the code you receive an error.

In the meantime, while you have given your credentials as well as the Steam Guard code, a script has used your credentials and logged into your account with these. The script is now logged onto your account and has your Steam login token active on a virtual device. The script will also create an API key to track all your information regarding your trades.

Since the script has access to your account, it can cancel, create and accept tradeoffers - all this happens in a matter of seconds while you try to send items to another account. This means when you try to accept a tradeoffer from a user, from the time you accept the offer to the time you try to confirm the trade on your Steam app on your phone, another trade has been created and accepted. This trade is directed towards a bot that has the same account details as the account you intended to send the trade to. The bot will most likely be Steam level 0 and have a relatively new date or a limited account.

Remember me mentioning you only fall victim when trying to send a trade? This is exactly what I referred to. The script does not have access to your Steam Guard, so the scam will only occur when you try to send trades, so you do not suspect that someone unauthorized has access to your account.

What is the difference between a phishing scam and an API-scam?

One of the biggest differences is how the scam methods works

As you might see, it is a quite different procedure as well as harder to prevent from falling victim to the phishing scam instead of API-scam.

How do you recover your account, if you have been a victim of a phishing scam?

The first thing you have to do if you think/know you have been a victim of a phishing scam is to check if your email and phone number have been updated to something else, or if it is still your own details. You can check these details by clicking here. If the details have not been changed do the following:

• Check your Recent Login History.

• Change your Steam password by going to Account Details, find the section Account Security, and pressing Change my password.

• Revoke your Steam Web API key by going to this link and pressing Revoke My Steam Web API Key.

• Deauthorize devices by going to Account Details, find the section Account Security, and pressing Manage Steam Guard. Once there, press Deauthorize all other devices.

If your email and/or phone number has been changed, you will most likely not be able to log in to your account within a few days or weeks as the script/hackers will have full access to your account. Therefore, check your email inbox. You should have received one or more emails stating that there have been made changes to your Steam Guard, that the email address linked to your Steam account has been changed, or similar. If you are not able to find an email like this, skip to the next step. If you can find an email like the ones mentioned above, open one of them and press Lock my account. Follow the procedure shown on the screen. Once your account has been locked, proceed to the next step.

Now it is time to recover access of your account. To do so, proceed to this link and type in your Steam account name (this is the name you use to log in to Steam, not necessarily your profile name). Press I no longer have access to my Steam Guard Mobile Authenticator. Press I no longer have access to this email address. You will now be shown a formula where you can fill in a lot of information. Please fill out as much as possible, as this will help Steam Support to recover your access.

For the text field “Anything else we should know about the issue you're having?” describe what has happened to your account. Do not just write “My account was hacked”, make sure your case stands out. Another way of wording the same thing could be “I suspect my account has been victim of a hijack.”

How do I prevent getting phishing scammed in the future?

As mentioned earlier, the phishing scam is caused by a user trying to log in to a fake Steam login page. Therefore, always make sure that you are trying to log in to a legit Steam login page. Make sure the login page is not a pop-up window, it must be a tab in your current browser window. A legit login page should look like this:

When trading, we would also always advise you to check the level and date when confirming trades on the Steam app. By doing so, you make sure the item(s) are being sent to the right user. You can also check your trade offer history after accepting the offer, to make sure the pending offer marked with Awaiting Mobile Confirmation is the right one.

Now that you have learned anything that is to know about phishing scams, you know exactly what to look out for in order to not get phishing scammed in the future. Share this blog post with your friends, to make sure they do get to know everything about phishing scams as well!

Did you know you can possibly be hacked just by having an Apple device? Learn more by clicking on the button below.