Given Steam's popularity for PC gaming, it's no surprise that scammers use it for all sorts of schemes. Anyone with a Steam account needs to be aware of potential attacks so they don't fall for them.
One popular Steam attack tries to trick you into providing your credentials using a message from your friend about a phony tournament. Here's how it works, and how to stay safe.
The Steam Tournament Scam From Your "Friend"
In this instance, this Steam tournament scam started when a real-life friend (obfuscated with blue below, so we'll call them Blue) of the would-be victim (we'll call them Green) reached out with a generic message via Steam chat.
Blue is a real-life friend of Green, but they hadn't talked in a while, so Green responded to start catching up. You'll notice that Blue's responses were vague, but enough to keep the conversation going.
After a bit of chit-chat, Blue moved in to spring the scam. He said that one of his friends needed some additional votes to qualify for a CS:GO (Counter-Strike: Global Offensive) tournament, and asked Green if he would vote for his friend's team.
At this point, Green suspected something was off, since a lot of phishing schemes involve someone asking for "help," trying to play off the good graces of a friend. Thus, Green asked Blue where they met, and Blue gave an incorrect answer.
Green told the scammer to go away, then alerted his friend through Facebook and told him to change his Steam password. By changing his password and signing out of all devices where his Steam account was logged in, he kicked the scammer out of his account.
The Original Victim Explains How He Lost His Account
Once Blue was back in control of his Steam account, he explained how his account was compromised in the first place. He fell for a similar scam, where a friend he barely knew reached out to him on Steam with a link to "vote" for a phony tournament.
We also learn that once the scammer had control of Blue's account, he blocked Green so the real owner of the account wouldn't get any notifications about the chat sessions on his own devices. Those pings would have alerted him that something was wrong. At the time of this conversation, the real owner of the account was online playing a game.
Looking at the fraudulent site's preview in Steam chat (below), it's clearly not affiliated with Steam. The lack of spaces after the periods in the description and the sentence fragment "Any Rank." are giveaways that this wasn't written by a legitimate entity.
It's not clear how the scammer got past Blue's Steam Guard protection. Most likely, the scam website asked him to enter his two-factor authentication code, which is either generated in the Steam mobile app or sent to you via email.
If Green had fallen for the scam, the attackers would have used his account to coax more of his friends to fall for it too. With a large number of accounts, the thieves could go on to engage in fraudulent Steam trades or more advanced scams.
Examining the Fake Steam Tournament Site
We've hidden the URL for safety, but since Blue provided the link to the fake website, it's useful to take a look at it. Studying this site helps illustrate telltale signs of fraudulent pages.
At a glance, the site is pretty convincing. It uses ASUS's ROG (Republic of Gamers) branding to appear legitimate. It also has "information" about the "tournament." However, when you examine the details more closely, they are extremely vague. There's no date or time mentioned for the tournament; it prompts you to "sign in to see actual date for your time zone."
Another red flag is that clicking the Quick Match, Challenges, or other tabs along the top doesn't do anything. These all prompt you to sign into your Steam account, which is the goal of this fake site.
The Support section mentions an email address for a domain that doesn't exist (it's another fake site used for these scams). Note that even though the site uses HTTPS, it's not a safe website. HTTPS means that your connection to the site is secured by encryption, but it's possible to have a secure connection to a malicious website.
Running a WHOIS lookup on the domain shows that it was created one day before this scam attempt and was registered in Russia—signs that this is clearly not legitimate.
There are also some minor typographical errors on the page, such as "Good Luck" having a capital "L," and "Please contact the support" being awkward phrasing.
Altogether, these are telltale signs of a fake website. But if you're rushing to help your "friend," you probably won't notice them. If you enter your credentials into this site, you'd be giving them to a scammer, not using them to vote for someone in a tournament.
How to Stay Safe From These Steam Scams
Now that we've seen how this scam plays out and what the fake site looks like, what can you do to keep yourself safe?
First, remember that just because a message comes from a friend's account, it's not necessarily legitimate. Like Facebook cloning scams, schemes like this rely on you trusting your friend implicitly.
When a scammer is pretending to be someone you know, they'll use vague language to fool you. In the last image of the conversation above, we saw how Green was tipped off because the fake said "bro," when his real friend would never use that word. If you suspect funny business, ask something that only the real person would know.
Second, be wary of all links. If you do follow a link that a "friend" sends you, analyze it, as we did above, before entering any personal information on it. Finding the above issues and asking the scammer about them would result in them giving excuses, tipping you off that this is fake.
Finally, do not sign in with your Steam account on third-party websites unless you are certain they're trustworthy.
Some legitimate services, like game price alert sites, allow you to sign in with your Steam account. But you shouldn't do this on a whim. Research online to see if other people trust the site before you log in with your Steam credentials.
A good way to check for legitimacy is to sign into your account on Steam's website, then open the third-party login page. If it's legitimate, you'll simply see a Sign In button. A website asking for your Steam credentials when you're already logged in is trying to scam you.
Take a look at our Steam account security guide for more ways to keep your account safe. If you do fall for a scam like this, immediately change your Steam password.
Don't Lose Your Steam Account to Scams
This Steam tournament scam isn't new. Chances are that this particular website will shut down before long, but another one will pop up in its place. Be aware that scammers can get into your friends' accounts using methods like this, and consider sharing this overview with your friends so they don't fall for it in the future.
For stronger protection, you should also know how to stay safe while gaming online.