I was phished on Steam. You might think it won’t happen, but the process is surprisingly simple. A friend’s Steam account was compromised, and “he” asked me to vote in a CounterStrike tournament.

Mid-game, I had little reason for suspicion, yet one click took me to an official-looking page. One sign-in later, the scammer had drained my Steam wallet and hijacked my account.

Steam page on the ‘Vote for my team’ Scam.

It was a brutal lesson in Steam phishing, but you may skip my pain with these simple tips.

While recovering my account, I noticed a few friends asked me personal questions as identity checks. Had I not been in the midst of a conversation, this is what I would have done, and these friends asking for an identity check were my warning about the hijacking in the first place. No matter thekind of phishing method on Steam, this will ensure identity confirmation.

If you are sent a link via Steam, never open it in the in-app browser. Instead, open your typical web browser—ideally in an incognito tab for extra protection—and log in to Steam via its website. Then, copy and paste the link into your web browser after logging in. If the link you received is a service connected to Steam, that login should persist without needing to give any information if in the same browser.

In other words, if you log into Steam on your web browser first, any legitimate third-party service should not require you to log in with your full credentials again. If credentials are required, do not give them!Steamalso warns about team-voting scams, but its advice is more general.

How to Navigate to Steam Support for Community Market Transactions.

Keep Non-Gaming Communications off of Steam

One easy way to reduce your need to scrutinize Steam messages is to avoid using Steam’s messaging feature for anything other than coordinating parties for a game. If you limit your Steam messages like this, any other message becomes suspect. Someprefer using Steam’s messaging feature over services like Discord, but for me, Steam messages are strictly for coordinating gaming.

Don’t Maintain a Steam Wallet Balance for Long

Valve cannot reverse community market transactions, and the hijacker stole my gift card balance by purchasing a $0.03 item for $69.02. This happened during the Steam Sale, and I was waiting until the last day to decide my purchases.

Unfortunately, since I held that gift card balance, it was there for the taking. Consequently, I recommend you don’t maintain a wallet balance for long, as it gives you something to lose if phished.

Steam Community Market transaction email receipt with my and the hijacker’s information covered

Contact Support if Anything Happens

Immediately upon recovering my account, I contacted Steam support to report the incident and hopefully get my refund. They were unhelpful in getting my money back, but they can investigate this issue if you provide evidence, which I did in full.

I found the recipient of my money via an email from Steam confirming the Community Market transaction, so I was able to report that user in addition to my support query. As far as I know, your email receipt is the only way to identify the recipient in these cases, but it thankfully let me report the user.

How to Navigate to your Block list on Steam.

Check Your “Block” List if Your Account Is Hijacked

The hijacker blocked everyone they messaged, so I informed those friends either via Steam or other communication that I was phished and not to click the link I had sent. This seemed to create a clear indicator of who the hijacker contacted, and I could re-add most affected people. Thankfully, since I never communicate via Steam messages, everyone who received the hijacker’s message was suspicious, and several let me know I was hijacked.

Do Change Your Password and Deauthorize All Devices

The last thing on this list is, ironically, the first thing you should do if hijacked: change your password and deauthorize all logged-in devices to kick the hijacker out.

To change your password, click the drop-down menu with your username next to your profile icon and selectAccount details. you may change your password here and manage your Steam Guard for two-factor authentication.

How to Navigate to ‘Authorized Devices’ on Steam.

To remove unwanted logins, select theAuthorized Devicestab and selectRemove All Credentials. Then, you’ll need to log in to your desired devices again.

As regretful as losing $70 is, the hijacker had a perfect coincidence of circumstances by catching someone I had just been talking to. I’m furious that this person stole my money, and I believe Valve needs better consumer protection against scammers, but blaming yourself is a waste of headspace when it’s the hijacker who stole from you.