- Scammers are sending messages to Steam users informing them of supposed accidental reports.
- The recipients are urged to contact a Steam admin who is the same scammer or an accomplice.
- The result is a threat to have the account deleted or share credentials and the Guard password.
The repertoire of scammers is ever-evolving and constantly changing, so it is important to keep up with the themes used by the fraudsters, which sometimes make it pretty easy to fall into their trap. According to a recent report by Malwarebytes, the latest wave of scamming attempts against Steam users relies on supposedly accidental reports made against them for using hacks or making an illegal purchase or impersonating Valve employees. All of these reports can incur lifetime bans, so some of those who have paid hundreds of USD to build their gaming collection on Steam are taking these messages very seriously.
So, the scamming begins with a message informing you of the accidental report, accompanied by a suggestion to contact a Steam admin to help you sort out the problem. The “admin” account which allegedly handles the mistaken report is actually under the control of the same scammer or an accomplice and obviously has no connection to a Valve employee. Sometimes, to avoid having these accounts reported and removed on Steam, the victims are urged to contact them on Discord.
If the Steam user is convinced of all that and contacts the fake admin, they are met with a request to prove their claims by providing a screenshot of their conversation with the scammer. This is to convince the victim that they're going through a legit procedure. Next, a supposed “scan of the account status” needs to take place before the report is canceled, and for this, the victim is requested to give away their email address, username, and the verification code sent by Steam if Steam Guard is enabled.
Obviously, the “admin” is after the victim’s credentials here, and if the Steam Guard password is provided, taking over the account would be a walk in the park. In other cases, the fake admin asks the victim to send them the reported duplicate item to check if it was indeed a duplicate, but as expected, the owner never gets it back.
If the victim dares to question the fake admin, the actors are pretending that they don’t have much time to deal with this and need to either move things forward the way they see fit or just straight away delete the victim’s account. In some cases, they present a pretty ridiculous “certificate of eligibility,” hoping that it’ll convince the victims.
If you are a Steam user, be very vigilant with incoming direct messages from users you don’t know, claiming anything that requires your action. Under no circumstances would a real Steam Support agent ask for your credentials or OTPs, so never share these with anyone. And finally, no moderator will ever contact you via Discord or any third-party app. If you have done nothing wrong, the chances of finding trouble are slim to none, even if someone has really accidentally reported you.