Steam gift card scams and how to avoid them

Steam gift card scams have been among the most successful phishing scams in recent years and are expected to gain traction over the coming years. There are two main variants of this scam, and both involve receiving messages through Steam itself or other social apps, such as Discord, that are popular with gamers.

In this post, we’ll review both variants, explain how they work, and offer tips on how to avoid them.

Let’s start.

The “friend” variant

This Steam gift card scam begins with you receiving a message that appears to come from one of your friends on Steam or another social network. The message will be happy and light-hearted in tone and will claim to offer you a free Steam gift card.

The message also includes a legitimate-looking link to the Steam website, which you must click to claim your gift card. If you click the link, you’re taken to what appears to be the official Steam website, where you’re prompted to enter your username and password to get your freebie.

Of course, once you do, you’ve handed your login credentials to your attacker, who will promptly take over your account. That can lead to fraud, identity theft, and getting locked out of your Steam account.

The “Steam ad” variant

Another popular scam variant is to lure you with a fake ad for a discounted gift card displayed on social media. For example, “Get a $100 Steam gift card for just $75! 25% off!”

As in the “friend” version of the scam, the ad directs you to a legitimate-looking link to the Steam website, where you make the discounted purchase. As above, you’re prompted to input your details on the Steam website lookalike, which is under the control of your attacker.

Once you input your password and/or payment details, you’ve not only paid for a product that doesn’t exist and that you’ll never get, but you’ve also handed your account over to your attacker.

Steam gift card scams: The modus operandi

Both versions of the scam follow the same blueprint. That blueprint is phishing.

It’s your typical 4-step phishing scheme:

  1. You receive a message on social media that looks completely legitimate. The message appears to come from someone you trust: an online friend or company. If the message comes from one of your online friends, that account has likely been hacked. In any event, the message includes a link you must click to claim your prize/make a discounted purchase.
  2. Clicking the link takes you to what appears to be the company’s official website. But it’s an “evil twin”- a fake site controlled by the attacker.
  3. You’re prompted to enter your login info/payment info to get the free or discounted item. If you do, you provide that information to your attacker, who will exploit it. Within the context of the Steam gift card scam, some users were prompted to download an “extension” to claim their gift card. The “extension” is malware that compromises the user’s device and allows attackers to exploit them further.
  4. The attacker takes over your account, and you may find yourself a victim of identity theft or financial fraud (or both!) in the coming days/weeks. Also, now that your account is compromised, the attacker may use it to scam your friends.

Identifying the scam

The Steam gift card scam has a few telltale signs you can look out for to avoid being scammed.

Improper spelling/punctuation

As many potential victims of this scam reported, one of the scam’s giveaways is in the spelling. This is often the Achilles heel of a phishing attack. Attackers make spelling or punctuation errors that the official company is unlikely to make. In this case, it’s a subtle error, but these add up.

In the Steam gift card scam, the value of the card is written as 50$ or 100$, rather than the correct $50 or $100. While this alone won’t make you 100% sure you’re dealing with a scammer, it’s good to keep in mind. If the other giveaways are also present, you can be sure you’re being scammed.

Obfuscated/short links

Steam Scam
Image source: Reddit

The scam message contains a link to Steam’s official website – or it appears to. While the link looks legitimate – something like steamcommunity.com/gift-card/pay/50) – if you hover the link, you’ll see that it’s some random-looking link. In this case, it was https://is.gd/LiuAH3. And that’s a dead giveaway that you’re being scammed.

If you hover the URL in your message and it reveals a different link that seemingly has nothing to do with the displayed link, I’d be willing to bet that it’s for a ‘50$ gift card’ and not a ‘$50’ one.

The message itself

As one Reddit user stated, other clues lie in the message’s context, or lack thereof. In their words:

“Situation: An online friend I made a few months ago sent me a message today on discord out of the blue. The message had no preface or actual message. She just sent a Steam Gift Card Link stating that I will receive a $50 steam gift card. I was immediately suspicious of the link so I reported it on Discord and when I reported it, it revealed the actual masked link. The masked link is in the title and again in the screenshot. I suspect she fell for the scam and it automatically sent it to people in her friends list or perhaps she is trying to scam me.”

So, you want to look out for messages with no introduction or context other than the gift card offer. These messages tend to come from online friends you don’t exchange messages with daily.

Furthermore, be on the lookout for messages that rush you to decide. Almost all scams try to instill a sense of urgency in victims so the victims don’t have time to think things through. Watch for arbitrary deadlines, e.g., “limited time offers.”

Why Steam gift card scams work

Like most phishing scams, this one exploits familiarity. The attacker garners more credibility by using hacked friends’ accounts to send messages – we cover this in more detail in our guide to social engineering. You’re much more likely to trust a message from someone you know (and click the enclosed link). And in the case of a fake advert, if it appears to come from a trusted company (Steam, in this case) the familiarity will trigger the same trust reflex.

And, as with any phishing scam, there’s a time constraint, which tends to trigger an emotional response and bypass your rational thought processes. Whether to get a special deal or fix your account, adding a time constraint tends to make folks take action without proper deliberation. And that can only work in the attacker’s favor.

The scam is also designed to exploit less tech-savvy users who may not know how to verify links or recognize phishing attempts.

Disguising the malicious link as legitimate obscures the actual destination URL, making it harder for greener users to spot the scam. Once they land on a convincingly official Steam page, its familiarity again fosters trust, so they’ll comply when prompted to enter their credentials.

How to avoid Steam gift card scams

The easiest way to avoid this scam is to avoid paying attention to free or discounted Steam gift cards. That one is obvious, so I had to include it – although it might not be helpful to those who like free or cheap ones.

Here are a few things to look out for:

  • Look out for messages with no preface or context – Human beings tend to contextualise what they send. If you receive a message from a friend containing a “limited time offer!” and a link, that should raise a red flag.
  • Always verify links before clicking them – Always hover over links to check for the use of shorteners. Hovering the link will display the actual URL it will direct you to. If there’s a discrepancy, don’t click it.
  • Report any suspicious messages you receive – Most platforms have a mechanism for users to report suspicious/fraudulent/phishing messages. Steam and Discord definitely do, and you should promptly report any phishing attempts you encounter—it helps you and all the other users of the platform.
  • Enable two-factor authentication (2FA)Two-factor authentication adds an extra layer of security to your accounts and makes them much harder to hack. Steam has its own 2FA solution called Steam Guard. Enable it.

General tips to keep your online accounts safe

The tips below always apply, and you should follow them regardless of whether you want to avoid one particular threat.

  • Be conservative with your PII online. Don’t sign up for everything, and don’t hand out your details to every site you encounter. Only share your information with sites and services you trust.
  • Use a burner email for frivolous services. You can easily find email alias services that allow you to use burner addresses to sign up for online services. That makes your email much less likely to be compromised (and will also limit spam).
  • Don’t open attachments in emails or messaging platforms unless you know who the sender is and you’ve confirmed with that person that they did send you that email. You should also ensure they know the email contains an attachment and understand what the attachment is.
  • Don’t click links (URLs) in emails or messaging platforms unless you can confirm who sent you the link and its destination. Contacting the sender through another channel (not email) might also ensure the sender is not impersonated. Also, check the link for incorrect spelling (faceboook instead of facebook or goggle instead of google)? If you can reach the destination without using the link, do that instead.
  • Use a firewall. All major operating systems have built-in incoming firewalls, and all commercial routers on the market provide a built-in NAT firewall. Enable both. You’ll thank me if you click a malicious link.
  • Use an antivirus program – Only purchase genuine and well-reviewed antivirus software from legitimate vendors. Keep your antivirus updated and set it up to run frequent scans and real-time monitoring. An antivirus may block access to malicious sites.
  • Keep your operating system updated – You want the latest OS updates. They contain the latest security patches that will fix any known vulnerabilities. Make sure you install them as soon as they’re available.
  • Don’t give in to “warning fatigue” if your browser displays yet another warning about a website. Web browsers are becoming more secure every day, which tends to raise the number of security prompts they display. Still, you should take those warnings seriously. So, if your browser displays a security prompt about a URL you’re attempting to visit, pay attention to your browser’s warning and get your information elsewhere. That’s especially true if you click a link you received by email or SMS – it could send you to a malicious site. Do not disregard your computer’s warning prompts; they could save you from a massive headache.

Wrapping Up

So that’s the low-down on Steam gift card scams. They’re classic phishing schemes that are specifically tailored to Steam.

Most phishing scams elicit an emotional response from the user – through a stated emergency or a false time constraint – and suppress their rational thought processes. So it’s critical to try and remain level-headed and review the message critically before clicking anything.

Educating yourself about common scam tactics can go a long way to safeguarding your personal and financial information. Hopefully, this post helps you on your way.

As always, stay safe.

Related articles: