Tuesday, September 1, 2020

Something Phishy This Way Comes: Steam "Fraudulent Purchase" Scam is Back. How It Happens, and What You Can Do to Prevent It.

It started as any normal evening; Just browsing the internet, looking for deals, and playing games I liked. I had work the next evening and was already looking to get ready for bed. Then, I get a message on Steam. Someone I don’t know with a familiar name tells me that they had accidentally reported me for a “fraudulent purchase.” It struck me as odd, but not unbelievable, given I was one to occasionally search for cheap games through sites like Fanatical, Green Man Gaming, and occasionally more out of the way sites of potentially ill repute. Thus, I had asked who I had to talk to. I am sent to someone who appears to be a Steam Administrator. The script I had installed to enhance my Steam browsing experience even said as much. I was also given a Discord username to contact, alternatively.

These two should have been the first of my red flags. The sites I had used were secure and trusted, and surely if I had been reported, I would have gotten an earlier notification. But, in my gullible and tired state, I pressed on. I was walked through a process of registering to a bitcoin site, only to be stymied when my payment method was unsupported. Then, I was prompted to instead try to directly send $100 worth of bitcoin as a means of “verifying” my purchase history. 

It was when I discovered that Steam had no use for Bitcoin and through the consul of my friends that I realized all too late what had happened.

I had been hacked, and I had to contact Steam Support to reclaim my account again. Yes, indeed, I had been baited and hooked by a phishing scam, and as a precaution, my name, my face, and all of my payment methods were expunged.

In acquainting myself with others who had fallen victim to this scheme, this is by no means a new scheme. It's actually a rather old one by internet standards. However, there's a reason they call such schemes the Oldest Tricks in the Book.

So, how can you keep yourself safe in the event something like this happens to you?

First, note the language of your supposed contact. Even if it is legible, is the English proper? Does the username look familiar?

Second, ask them something personal about you that you would have told to a friend. Something they should know if they actually know you. If they can't answer, they're just trying to bait you.

Lastly, you should be aware that, as the forum post explains, "Steam support will never contact you period. The only time they will ever contact you, is when you contact them 1st as there's only one way to contact them, and that's by support ticket, nowhere else. They won't contact you by chat, they won't add you, they won't email you either." They only reason they will ever message you is if you've already messaged them first. They will never, ever ask anything of you with a material value or for any information from you. If they really worked for Steam Support, they would have this information handily available to them and would not need to ask you.

In the event you're in the midst of such a scam, some things to keep in mind are: 
  1. Don't go to any site they link you to. Especially if it's a login page. This is an obvious phishing tactic to secure your sensitive information so they can later change it and steal your account.
  2. Do not download, install, or run any software given. This is likely a keylogger or telemetry software meant to collect your data, or worse.
  3. Do not give your login information to the user under any circumstances. Any moderator or administrator would be able to look this up easily without you needing it. They do not, shall not, and will not ask for this information.
If, either you forget this or despite knowing what to do, you still find yourself on the receiving end, your recourse is as follows: 

  1. If you can, change your password immediately. Do so for both your Steam account and your email client tied to it. While you're at it, change passwords for sites you regularly use, too.
  2. Scan your computer for viruses and/or spyware. There may be hidden software that might have been installed that you would be prudent to remove.
  3. Report the user who contacted you to scam you. If they have already affected you, make sure you have screenshots to prove your account has been affected in some way. They will usually go for your email and phone number.
  4. Enable 2-Factor Verification and Steam Guard Mobile. These precautions will add extra layers of security to your login. Trust us--the extra hassle is more to hinder them than it is you.
  5. If you cannot access your account at all, use Steam's built-in help service to log in. The first time it does so, it will usually allow you to log in by verifying your last payment method. After that, apply all of the above in sequence.
  6. Lastly, if the above method fails, put in a support ticket. You'll be directed to do so by entering your email address and phone number. Provide any and all photographic proof of any changes, and give the support all of it.
If all goes well, you'll have access to your account as soon as the next morning. If not, it may take a few days. 

All in all, a lot of this can simply be avoided through just simple common sense and being careful who you talk to online. This is an old scheme, and if you know where to spot the signs, you can inform others of what to watch out for. This is a classic chain scam, and once you notice the weak links, you can break it.

Stay safe out there, friends. These are dangerous times in our increasingly more digital shopping experiences.

No comments:

Post a Comment

Blog Archive