Phishing has long been a tradition of Steam. Barely a month will go by without someone telling you how to get free games or SteamAdmin telling you to go log-in to re-validate your account on www.thisislegitsteamsite.tk. However, this is usually through the Steam chat where fake URLs are hard to cover up. Recently scammers have a new tactic through sending you emails informing you that you’ve been gifted a game.
So, firstly, what is a phisher? A phishing site is one that is usually a dead ringer for the real site. It will usually have somewhere for you to log-in. But instead of sending you to your account the site instead just steals your login name and password to be used for nefarious purposes.
In these gift emails a URL that may say www.steampowered.com could in fact lead somewhere you don’t want to be going, and a fancy formatted email might not cause too much suspicion. The From address may sometimes be a dead give away, but these can be faked. The phishers are getting quite advanced. From what we have gathered Crysis 2 seems to be the phishing gift game of choice, which should raise some eyebrows as at the time of writing it is no longer available on Steam.
So you may be asking “but if these emails look the same as the official emails then how do I work out which is a scam and which is a charitable friend?”. Never fear for Press X or Die is here.
1. Make sure you have Steam Guard enabled.
Steam Guard was introduced earlier this year as a secondary protection feature for Steam accounts. It requires that any Steam account signing in on a new computer to also input a PIN code that is emailed to you.
By default this is enabled, but on some accounts this isn’t the case. And some users may have disabled it. To change this open up Steam and go to the top menu Steam – Settings then “Manage Steam Guard Account Security” and turn it on.
If you find you are getting sent PIN codes but you haven’t been using any different computers with Steam then this is usually a good sign that someone is attempting to log-in to your account.
2. Use a modern browser.
Most modern browsers have some kind of anti-phishing feature built in that will warn you if you are visiting a site suspected of phishing. However like all systems these can sometimes fail to catch a phishing site, and sometimes provide false positives. Which brings us on to our third piece of advice.
3. Check the Address bar.
Just a quick look at the URL will usually be enough to tell it’s a phishing site. Steam’s official website is www.steampowered.com and www.steamcommunity.com and their gifting email address is firstname.lastname@example.org (that can be faked though). Modern browsers will also alert you for sites with SSL certificates (which Valve have) which can provide extra assurance. Just click the lock icon and get more information on the validity of the site.
4. Ask if your friends sent it.
This may not apply to everyone but normally when I’m sent a gift I tend to get messaged by the gift sender too, making sure that I’ve got the game. If this gift is out of the blue and unexpected then be more suspicious.
Of note is that most of the time you will not just get an email (unless the sender only knows your email address and not your steam account) but when signing into the Steam Client a pop-up window usually informs you of your gift too. This cannot be faked by scammers (to my knowledge)
There’s some more advice and in-depth help on Steam’s Support section.
Remember to stay alert and to keep an eye out for these kinds of scams. As recent events have taught us, our gaming accounts are not wholly safe and we should be more attentive when giving away our account details even if the site looks fine.