What the user sees
The lure as presented
- A stranger, or a compromised friend, sends a Steam gift offer.
- The linked page asks the victim to sign in with Steam.
- The page may look familiar while the domain and flow are not legitimate.
What happens behind the scenes
What the attacker is trying to obtain
1Discord DM
2Fake Steam login
3Credential capture
4Account abuse
- The fake login collects the username, password, and sometimes additional authentication data.
- Reused passwords can turn one stolen Steam login into broader account compromise.
If you fell for it
What to do first
- 1Change the Steam password from a trusted device.
- 2Contact Steam Support and review unfamiliar logins or transactions.
- 3Change the password anywhere it was reused.
How to avoid it
Where to stop before damage
- Open Steam sign-in from the official domain yourself.
- Do not open gift links from unknown accounts.
- Verify with the sender through another channel when a friend sends an unexpected offer.