Recently, on our Discord, we had to ban several people for running a phishing scam on some of our users. In rare cases, when people expressed an interest in joining their team, the scammers would ask their victims to enter their details on a separate third-party website – designed solely to steal your steam account.
The way they did this was to add a fake "Sign in with steam" button to their website, and spoof the Steam homepage to make you think that you can trust it, opening it in a popup window.
Everything about the site worked - a real professional job! - and clicking on the padlock that says "Valve Corp" would show what looked to be the correct security tag.
If I'd put my steam username and password in here, it's very likely that my steam account would have been stolen. What they've done is to copy the Steam website, and make it appear to load in a fake popup window, when really it's a part of the scam website.
Even with "2-step" authentication ("Steam Guard"), you can still fall victim for this if the scammer is clever enough to ask you for it, and use it to log in quickly enough in the background.
Steam's guidance (https://steamcommunity.com/actions/ReportSuspiciousLogin) doesn't give enough information on how to stay safe, in my view, so I thought I'd write a bit more on our blog to explain how you can keep yourself safe :)
So how can I tell that this is a scam?
There's several telltales, just from looking at the image above.
- You can still see the original website.
When you click 'Sign in with steam', the entire page should change, showing you the Steam sign in page, as should your browsers main address bar. This is so that you can verify that the web page you are actually viewing is the correct site that's safe to put your password into.
This is the biggest "tell", in my opinion. In general, you shouldn't trust "popups" that ask you to put your user information in. I'm now reconsidering every PayPal transaction I've ever made.
- The popup window colours don't match my desktop theme.
They've done a good job of matching the default "chrome" appearance in the popups, but unhappily for them, I'm an engineer who enables dark mode for everything as soon as I can :).
- Dragging the window around won't let me drag it outside the original website.
This is a clear sign that the website is "faking" this being a legitimate popup window. You can't see it in your taskbar as a separate window, and it can't be dragged outside of the original website. Also, it moves around when you drag around the original window.
- Steam hasn't remembered that I'm signed in
One of our users first discovered this scam because they knew they were already signed in with Steam, but noticed that the site was asking them for their password again. If you're sceptical, check in a new browser window - that you opened yourself - and see if you're signed in to steam in there.
Connecting your third-party services like Steam is crucial to the operation of TEAMS.gg and other sites in our industry. But unfortunately, scammers have noticed this and are starting to try and exploit people.
Browser manufacturers - Google, Apple, Microsoft - need to do more to help prevent this kind of phishing scam, and until they do, keep an eye out for the above signs when entering your steam credentials.
Enjoy (safely!) finding new teammates, but if you think they might be scamming you - thankfully, very rare - please report them to us on our discord, with screenshots, and we'll take action.