It finally happened. Someone tried to scam me on Steam. I guess I don’t play online games enough for me to be exposed to these scammers usually, but it was bound to happen eventually. Thankfully I was lucky enough to spot what was happening before any damage was done.
It all started when a random person added me as a friend on Steam. I already suspected it could be a scam, but my Steam ID is pretty public so it was possible it was legit. So I accepted their request and waited.
The Conversation
Eventually they started messaging me and I could tell almost instantly it was going to be a scam. When they sent me the fake screenshot, that just confirmed it. The unedited conversation went as follows:
So what made me think it was a scam? Them wanting to ask me a question was the first giveaway. Why would a stranger suddenly want to ask a random question like this?
Then, of course, the fake screenshot. I never use the marketplace really. I still double-checked there wasn’t a transaction in my market history to be sure, but it being fake was another dead giveaway.
Then there was the whole story. I guess he was trying to convince me I’d get into trouble for “stealing” if I didn’t prove to him that I hadn’t bought the item. But if there really was a bad transaction like this, they would be talking to Steam’s customer support, not to the person who “stole” their item.
Finally, there was the request for personal information. And yes, as I so politely pointed out, a screenshot of your market history is personal information. Never, never, never, send any personal information to a complete stranger. Even if it seem like innocuous information.
The Scam
This scam works by attempting to make the victim believe they are in trouble. An accusation comes and they provide “proof” in the form of a doctored screenshot. They will try to convince you that you will get into trouble if you don’t prove it wasn’t you, usually that they will report you and your account will be banned. This is a lie.
Next they will try and get you to provide personal information. Transaction history might seem harmless, but recent transactions are sometimes used as a way of identifying people by customer service reps. It’s not the only thing they use, but it’s part of the process.
If I had kept this conversation going, they would keep trying to convince me I was in danger of losing my account and ask for more “proof”. They will take baby steps, asking you for more and more information each step of the way. Their goal is to get enough information out of you to steal your account.
This kind of scam is known as “social engineering”, a method of hacking that tries to get humans to give them the information they need to break into an account. Humans are not rigid like machines are, and are often the biggest security hole in any system. They can be scared and manipulated into doing things they wouldn’t normally do. Hackers know this, which is why social engineering attacks are probably the most common form of hacking.
The Defense
Unfortunately, there is no way to make yourself 100% immune to social engineering. You don’t need to be an idiot to fall for one. If they hit at the right time, you may find yourself falling for it and not realising until it is too late. However, there are a few things that you can do to help defend against them.
Never give personal information when asked
No matter how minor it seems, if a complete stranger asks you for personal information of any kind, do not give it to them. Unless you started the conversation expecting to give out personal information, don’t. Any good customer service rep will only ask you to verify you identity if you call them. If a stranger initiates the contact, don’t trust them.
Contact the Company
If someone is saying you will (e.g.) get banned from Steam and you are genuinely worried you might, the first person you should talk to is someone from Steam Customer Support. Always report any scammer you meet, and if you are unsure talk to the company first. Never believe anything without checking for yourself first.
Enable 2FA on your accounts
This is the best defense, since it means any attacker will need access to a physical device (such as your mobile phone) even if they have all your information.
Learn how to use and use a password manager
The only password I know is the one for my password manager. When I log into Steam, I let my password manager enter the password for me. These passwords are randomly generated, and secure. I use 1Password right now, but there are many others available. Using a password manager will also help you detect and change reused passwords, another thing you should avoid.
Anyway, maybe I’ll see another scammer on Steam some day and I’ll try to bait them a little better than I did this one. Could be entertaining.
Stay safe out there!