From the beginnings of CS:GO trading, the community was always plagued with numerous scammers. Even though the collective effort to weed out the scammers and many of the methods employed by the phishing websites being well known in the community, from time to time even a veteran skin trader will get caught.
One of the most popular and most advanced methods is the Web API Key Scam but can be quite easy to catch once you know what exactly it’s all about.
How Steam API Key Scam usually looks like
- The scammer targets their potential victims by acquiring a list of most popular websites and skin marketplaces by their popularity score and Google search engine positioning. The best targets are websites at which you have to log in with your Steam account credentials, like markets or gambling sites.
- The scammer creates an identical copy of the targeted website, choosing a web address that looks almost the same as the legit website’s address. They may use direct ads like Google AdWords to place their phishing website on the top of rankings.
- Tricked user clicks on the top link in the search results and goes to the counterfeit website instead of the proper one.
- The scam comes into action the moment the tracked user decides to sell or buy any in-game items through trade on Steam.
- When the user receives a legitimate trade offer the scam bot automatically cancels the trade and initiates its own fake offer. Scammers try to make the fake bots as similar to the legitimate trading bots, e.g. using the same nick and avatar.
- Since the fake offer looks the same (it has the same trade in the message) and the real trade was already canceled the user accepts the fake offer giving away his/her skins and valuables for free.
- If the trader looks into the trading history, he/she will see a two almost identical offer, the real one being rejected.
How to secure your Steam account
There are certain steps you may want to take to secure your vulnerable Steam account if you suspect you had been scammed. It’s always good to start with changing your Steam account password. Then it’s good to remove all Steam or CS:GO related browser extensions that you’re unsure about. Some, especially those less popular, can easily gather all information required to run this type of trade scam. Proceed with deauthorizing and logging-off all devices in case the password change didn’t do it automatically.
Now go to Steam API Key page and click on Revoke My Steam Web API key. Many scammers had access to your Steam API key which they can use to track your trade offers. The last thing you may want to do is to reset your Steam Trade URL by creating a new Trade URL, to make it impossible for the scammer to send you false trade offers. Just remember to update your Steam Trade URL in SkinWallet panel to match the newly created one.
3 Ways to protect your Steam account
Although its good to have some countermeasures once you suspect a possible Web API scam, its always better to don’t let the scam be possible in the first place. Below are three things you might want to do to make your Steam account more secure. While it won’t probably save you from all scam attempts it will certainly help in defending against most of them
Authenticate only via trusted websites or Steam
A good way to minimize the risks is to always log into your Steam account in Steam official website or only at the website and marketplaces you know can be trusted. However, make sure to always check if the website link is correct. Still, it is always far safer to authorize with Steam first, no matter what in-game trade marketplace you are eventually going to use.
Password and Trade URL change
Regular changes to your Steam account password and Steam Trade URL are very good ways to make sure no one is tracking you and your transactions. This is also a good way to terminate your current sessions on Steam throughout any devices and block any scam bots from accessing your account. You can alter your Steam login credentials either by clicking ‘Forgot password’ or ‘Change my password’ options. The first variant is preferable, since it allows you to continue trading on Steam without any trade suspension period.
Double check all trade offers
Whenever you’re about to accept a trade offer from a trade bot, be sure to check if the details and characteristics that the valid bot from that particular site or marketplace. Similarly, if you check your trade history and see an identical offer from an identical bot that was canceled by you without you knowing, 9/10 the offer you’re seeing right now is made by scam bot.