Suppose that, out of the blue, a Steam user tells you they’ve accidentally reported you for something you didn’t do, like making an illegal purchase, and that your Steam account is going to be suspended.
They ask you to message a Steam admin, whose profile they kindly provide, to help you sort out this dilemma.
What do you do?
There are some scams on Steam which have stood the test of time. Their tactics and target have remained generally consistent for years. Phishing campaigns aimed at harvesting as many user credentials as possible, for example, are a dime a dozen. And let’s not forget the many ways a fraudster can dupe Counter Strike: Global Offense (CS:GO) players.
Like Steam phishing campaigns, this particular Steam scam—referred to loosely as the “I accidentally reported you” or “I accidentally reported your account” scam—has been coming and going since initial reports of it emerged in late 2018. To date, it has no other target apart from Steam users. And, based on its new latest iteration, it targets Steam users with a Discord account.
For those who aren’t aware of this scam and its variants, below is a breakdown of how the scam works. On the other hand, if you’re quite acquainted with it, dear Reader, then feel free to skip to the next section.
The Steam scam playthrough
The fraudsters behind the “I accidentally reported you” scam usually approach their targets under the pretext that they need something, or they have something to say. Anything to suggest that it’s something important and that they should be heard out.
They may already be a Steam “friend”, from a couple of days or years ago, someone in the same Steam group as you, or a user who wants you to add them to your friends list.
I’m so sorry but I accidentally reported your account to the steam admin for scamming me and duping items instead of someone who impersonated your profile and that impersonator is a scammer who scammed me
There is no word-for-word script that scammers stick to, but the gist is this: someone posing as you scammed them, but they reported you instead of the impostor.
Note that other variants of this scam will claim that they have reported you for “doing illegal purchases”—another reason to cause a degree of alarm but flawed, nonetheless.
I’m worried about your account now bro because the steam admin already ban his account
if my report on your account gets process you will get ban too just like the scammers account
At this point, the scammer drives the point that your account will get banned next, unless something is done. The scammer then insinuates that help is on the way: a “Steam admin” that will cancel the report and remove the target’s account from the ban pile. However, they should confirm that the report against them was a mistake first.
ok so here is the profile of the steam admin if he accept just file a ticket to him that you are not involved in the report
The sharing of a legitimate profile—or what appears to be legitimate—that is connected to Steam or its developer, Valve, is one of the tactics scammers employ to make their claims look more truthful.
If you raise the possibility that this Steam admin might not accept your friend request, the scammer suggests that you contact them via Discord.
can you add him on discord? so that if he cannot notice your req on steam maybe he will notice it on discord.
anyway I need to show you something
Oh no, what now?
this is a reply about my report on your account
It’s another reinforcement tactic, to erase any doubts you may still have. Frankly, it’s overkill at this point.
Convinced of what you must do and who you need to contact, you get in touch with the Steam admin. Of course, this admin is fake and likely either the scammer or an accomplice.
Note that the tone of the conversation changes here. The scammer’s concerned and helpful front is gone once you start chatting with the fake admin:
Hello there, Please state the reason why did you add me?
After you briefly explain the situation, the fake admin asks for a screenshot of the chat that transpired between you and the scammer.
I received the report according to our coordinator’s review about illegal activity for Illegal Purchased but you don’t have to worry here if you’re not really involved in the said issue. I will remove the banned report issue in your account. All you need to do is to prove that your account is in good condition and it was a false accusation so that Valve Report Assistance Team will cancel the Banned report charge on your account
The proof they ask for is a screenshot of your purchase history. They will also ask you to log out of your Steam account on your computer and/or mobile so they can “start the scanning of your account status”. Of course, there is no scan. The fake admin asks this as a lead in to asking for more information—for starters, the email address tied to your Steam account.
An email address is needed when a Steam user finds themselves locked out of their account and they forgot their account name or password.
The fake admin asks you to get the verification code sent by Steam to your email address. If you happen to have Steam Guard enabled, the fake admin will ask for the code as well.
Never give anybody your Steam Guard password.
In some cases, the fake admin will ask you to send them the reported duplicate item to check if it was, indeed, a duplicate via the Steam trading function. This is framed as “borrowing” the item, but you won’t be getting it back.
If you comply with the fake Steam admin you can lose your accounts, your game items, and even money.
Targets who question any of the tasks the fake admin asks them to do are met with the pressure to respond quickly because they’re “running out of time”, they are presented with a fake certificate, or they are threatened with having their accounts deleted.
Although several Steam users will not reach this part of the scam, many aren’t so lucky. Some, despite knowing that something is off, aren’t 100 percent sure if they’re dealing with a scammer or not.
True social engineers, or just desperate?
What we believed to be the first variant of this scam in 2018 was simple and solely focused on misusing the Steam trading function. This scam is now highly evolved and, one can say, has branched out into other nefarious acts, such as hijacking accounts, rare item theft, and other ways scammers can milk victims of their (or their parents’) hard-earned money.
Like most scams, the “I accidentally reported you” scam relies heavily on social engineering tactics that aim at gaps in a Steam user’s familiarity with how things work within the platform’s ecosystem.
Scammers want to appear believable, so it’s no surprise they use already hijacked accounts that have a good standing on Steam when reaching out to targets. The same can be said about Discord accounts under their control.
The scammers behind this scheme also come prepared. Not only do they have the materials—screenshots and a guide script—they need to counter frequent questions raised about their credibility, they are also not afraid to play on Steam users’ fears, even at the risk of losing the credibility they already built up with their target.
Familiarize and exercise
Steam has always put the onus of not getting scammed onto the shoulders of its users. If you did get scammed, Steam Support will assist to the best of their abilities, including getting your hijacked account back. But beyond this, like retrieving a stolen rare item, refunding money if your account has been used to purchase Steam gift cards (for example), they likely won’t be able to help.
That said, it’s crucial for Steam users to realize that they may have blind spots and may not be as well acquainted with some aspects of the platform as they think. Filling in these blind spots can help you spot scams.
- There is no such thing as “Steam admin”, false report, or a “Certificate of Eligibility”.
- There are Valve employees with Steam profiles. And they proudly display a legitimate badge to prove this. They are top-tier moderators (mods) who have full administrator privilege in Steam.
- Real Valve employees belong to two invite-only groups, which are Valve and Steam.
- There are Steam Community Moderators. Like Valve employees, current and retired moderators have their own badges, too. Community moderators can ban users, among other things.
- Real Steam Community Moderators, both active and inactive, belong to the invite-only group, STEAM Community Moderators (SUFMods).
- There is a page where you can look up all Steam Community Moderators.
- Scammers link back to legitimate profiles of Valve employees or Steam moderators to hook targets into reaching out to through Discord. These Discord accounts are not manned by Valve employees but by scammers.
- There is no such thing as an illegal item. That said, there is no need for anyone to review an item.
- If an item does need inspection, Valve employees would not require you to hand them over. They will just look it up in their database.
- Duplicate items (or dupes) exist, but they are not illegal. Duplication was done years ago by Steam Support to restore scammed or stolen items for hijacked victims. Steam Support doesn’t do this anymore.
- If you have handed over an item to someone claiming to be a “Steam admin”, consider it gone forever. The current policy is that Steam Support does not restore items that have left an account, including scammed ones.
- If there is a problem with your account, or you have an impending ban, Steam will let you know either via email, a Support ticket, or account alerts. Here is an example [link to account-alert-sample] (taken from Steam on Reddit).
- A Steam moderator will never contact you via chat or a third-party app like Discord for any reason.
- A Steam moderator will never mediate between you and another user.
Secure your Steam account by using a strong password, taking full advantage of Steam Guard—Steam’s two-factor authentication method—and be aware of the latest scams that are targeting you as a Steam user. Keep the above points in mind, and stay safe!
The post Steam users: Don’t fall for the “I accidentally reported you” scam appeared first on Malwarebytes Labs.