Scammers Trick Steam Users With ‘Accidental Reports’

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The repertoire of scammers is ever-evolving and constantly changing, so it is important to keep up with the themes used by the fraudsters, which sometimes make it pretty easy to fall into their trap. According to a recent report by Malwarebytes, the latest wave of scamming attempts against Steam users relies on supposedly accidental reports made against them for using hacks or making an illegal purchase or impersonating Valve employees. All of these reports can incur lifetime bans, so some of those who have paid hundreds of USD to build their gaming collection on Steam are taking these messages very seriously.

Source: Malwarebytes

So, the scamming begins with a message informing you of the accidental report, accompanied by a suggestion to contact a Steam admin to help you sort out the problem. The “admin” account which allegedly handles the mistaken report is actually under the control of the same scammer or an accomplice and obviously has no connection to a Valve employee. Sometimes, to avoid having these accounts reported and removed on Steam, the victims are urged to contact them on Discord.

If the Steam user is convinced of all that and contacts the fake admin, they are met with a request to prove their claims by providing a screenshot of their conversation with the scammer. This is to convince the victim that they're going through a legit procedure. Next, a supposed “scan of the account status” needs to take place before the report is canceled, and for this, the victim is requested to give away their email address, username, and the verification code sent by Steam if Steam Guard is enabled.

Source: Malwarebytes

Obviously, the “admin” is after the victim’s credentials here, and if the Steam Guard password is provided, taking over the account would be a walk in the park. In other cases, the fake admin asks the victim to send them the reported duplicate item to check if it was indeed a duplicate, but as expected, the owner never gets it back.

If the victim dares to question the fake admin, the actors are pretending that they don’t have much time to deal with this and need to either move things forward the way they see fit or just straight away delete the victim’s account. In some cases, they present a pretty ridiculous “certificate of eligibility,” hoping that it’ll convince the victims.

Source: Malwarebytes

If you are a Steam user, be very vigilant with incoming direct messages from users you don’t know, claiming anything that requires your action. Under no circumstances would a real Steam Support agent ask for your credentials or OTPs, so never share these with anyone. And finally, no moderator will ever contact you via Discord or any third-party app. If you have done nothing wrong, the chances of finding trouble are slim to none, even if someone has really accidentally reported you.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: