1.

What the user sees

The lure as presented

  • A stranger, or a compromised friend, sends a Steam gift offer.
  • The linked page asks the victim to sign in with Steam.
  • The page may look familiar while the domain and flow are not legitimate.
2.

What happens behind the scenes

What the attacker is trying to obtain

1Discord DM
2Fake Steam login
3Credential capture
4Account abuse
  • The fake login collects the username, password, and sometimes additional authentication data.
  • Reused passwords can turn one stolen Steam login into broader account compromise.
1.

If you fell for it

What to do first

  1. 1
    Change the Steam password from a trusted device.
  2. 2
    Contact Steam Support and review unfamiliar logins or transactions.
  3. 3
    Change the password anywhere it was reused.
2.

How to avoid it

Where to stop before damage

  • Open Steam sign-in from the official domain yourself.
  • Do not open gift links from unknown accounts.
  • Verify with the sender through another channel when a friend sends an unexpected offer.