Security

How to Never Get Scammed in CS2

A complete and comprehensive guide for scam prevention in CS2

How to never get scammed in CS2

How to Never Get Scammed in CS2

It is unfortunate that such a long, exhausting and sometimes complicated post, which you're about to read, has to be even made when it comes to otherwise fun topics such as PC games. But since virtual items like CS2 skins are digital goods which can be sold for real money, it's obvious that this environment attracts many dark figures and scam artists, who will do everything in their power to steal your virtual items. Besides, getting scammed items back through Steam Support can unfortunately be very difficult and often times even impossible, due to Valve's policies when it comes to trades between users, which they usually view as final.

For all of these reasons, it's highly recommended, that you take the time and educate yourself about all the current scam methods out there and how to protect yourself from these threats, especially if you already own or plan to have valuable skins. It doesn't matter if you're a new player who just started trading, or an experienced veteran with 5000 hours in CS2 and hundreds of past trades under your belt: scams can happen to anyone!

Therefore, we decided to make a comprehensive and complete guide related to this subject, covering all aspects and giving you one single source for everything you need to know about CS2 scams. Please take the time and read this post, and share it with everyone you know, to hopefully help and reduce the number of item thefts, and make the lives of con artists in this space a bit harder.


This guide is divided into 5 sections:

  1. The 20 rules of scam prevention

  2. Explaining different scam methods

  3. The specific case of the infamous API scam

  4. Could your Steam account already be compromised?

  5. What to do if you already got scammed and how to take down scammers?


The 20 rules of scam prevention

There are dozens of different of CS2 scams out there, which you will read more about in section 2 and 3. And over time, they change and evolve as well. Fortunately, scam prevention is possible by following our 20 rules strictly and without any exception. If you stick to this rule set, you should be safe from all currently known scam methods, and probably from new variations in the future as well. Keep in mind that consistency is the key to account safety, and that one mistake could cost you your entire inventory within seconds! You will understand the reasons behind some of these rules, once you've read the entire guide.

  1. Set up the Steam Guard Mobile Authenticator, in the very unlikely case that you haven't done it already. Your mobile phone and its two-factor authenticator is vital and your "last line of defense" against fraudsters, before a trade is final! All scams ultimately lead to this last step, which scammers need to convince or trick you to take. Therefore, it's extremely important that you review Steam trades carefully before confirming them. Never rush trades, purchases and sales. Always take your time and double-check the trade's content and the Steam account of your counterpart or Bot, before your final mobile confirmation of trades. Also, never share your Auth-Code with anyone.

  2. Select the trusted websites you regularly use, such as Steamcommunity.com and Skinport.com. Type each website address manually in your browser, now bookmark it and add it to your browser's bookmark bar for easy access. From now on, always visit the links through your browser bookmarks only and always log-in through the bookmarked Steamcommunity.com link into your Steam account. Once you're logged into Steam, trustworthy websites never prompt you for your credentials again (only phishing websites do). You're already and automatically logged in and just have to click the green 'sign-in' button.

  3. Never use Google to search for CS2 related websites to use and log-in. This sounds harsh, but prevents lots of scams.

  4. Never click on any link to any website or any software download link, sent to you by anybody related to CS2. It doesn't matter what the content of the message is or if it's from a Steam friend who sent you a link (their accounts could have been compromised by a scammer without their knowledge).

  5. However, sometimes you need to click on people's Steam Trade URLs to initiate a Steam trade with them, if they're not on your Steam friend's list. Make sure that the link you're about to click, isn't a misspelling of Steamcommunity.com (the name itself or the top-level domain or both).  

  6. Never install any browser extension, unless you're 100% sure about its legitimacy. There're only a few, which are used by the community. However, there's always a residual risk with any extension, even known ones (owners changing, codes and permissions changing, etc.) and if you don't use such extensions regularly and follow their development, then don't let them remain installed for a longer period of time.

  7. Always make sure that your PC's security suite, is up to date and that your PC as well as your mobile phone are free from malware, keyloggers, viruses, etc. Your browsers and your operation system should always be up to date as well.

  8. Make sure you're using very strong, case-sensitive and different passwords for your Steam account and your associated Email. Never use a single password for multiple services. Optionally, use a secure password manager. It could also be a good idea to completely change passwords once in a while, as a precautionary measure.

  9. Never do any type of cash trade with anyone (PayPal, crypto, etc.), no matter if they offer to overpay you, pay you first or whatever else they offer.

  10. Never send anybody a trade offer, in which the side of your counterpart is empty or if the trade doesn't include all pre-agreed items from both parties in a single trading session, unless you're just selling items and dealing with a real Bot offer from a well-known and trusted third party website like Skinport.com

  11. If you're initiating transactions with third party websites such as Skinport, always use the associated links provided within the website itself. Make sure the Bot offer doesn't somehow get automatically canceled and replaced with a fake Bot offer from a scammer (check trade history and incoming offers and look for suspicious canceled offers).

  12. Never do any type of so called "trusted middleman" trades with a 3rd person involved.

  13. Never do Steam trades where people promise you steam wallet codes, CD keys, gift cards, any type of steam credit, coins, money or anything else in return. CS2 item trades (possibly some other game's items such as Rust, Dota, etc. if you're familiar with those items), is the only type of trade you should do.

  14. Never get scared or intimidated and don't believe anyone who claims to be a Valve employee, a Steam admin, VAC Bot, etc., even if your Steam profile name and avatar should have changed to something like "banned" (a scammer has access to your account and is changing your profile). The real Steam employees will never send you messages, change your profile like that, or ask you to trade your items. The only way Steam support communicates, is through their Steam support ticket system.

  15. Never believe anyone who asks you for some kind of item verification, pattern- check, price-check, or similar requests on an external website.

  16. Do not borrow your items to anyone, unless you know that person in real life and only if the person is 100% trustworthy (family or close real life friend).

  17. Never listen to anybody who asks you to buy a very specific item, which is listed on the Steam Community Market, and do not accept offers from people offering you some sort of fund transfer to your steam account.

  18. Never believe and react to any message sent to you about winning some sort of CS2 giveaway, crypto giveaway, gambling coins, etc. If you actively participated in a giveaway yourself, you already know the source to check.

  19. Never log-in any website with your credentials through devices in public places, where other people have access. Also make sure that if anybody has access to your computer or phone (family members, roommates, etc.), that the person is 100% trustworthy and follows the exact same rule set mentioned here.

  20. Do not generate an API key and more importantly, do not share it with anyone or any website. Anyone with your API key can manage all of your Steam trade offers (incoming and outgoing). API keys are only intended for website developers. Nowadays, some websites don't use bots like Skinport, but instead ask their users to give them their API keys and use them to control the user's trades, which puts all the risks on you and your account as a user and only eliminates risks and costs for them. Possible website leaks and subsequent API scams, a potentially rogue employee with access to all keys, and possible bans (now and in the future) due to violating Steam's Web API terms, are risks which you are taking by sharing your key.


Explaining different scam methods

In this section, we will give you an overview of various methods used by scam artists. This will give you a better understanding of the reasons behind the 20 scam prevention rules, as well as a better awareness to spot scams targeted at you quickly.

  • Misspellings of Steam trade URLs: the scammer will send you a message such as "I'm leaving CS2, take my skins, I don't need them anymore", "my friend wants to trade with you, here is his tradelink", "Why didn't you confirm the trade we agreed on?", "I was cheated on by my boyfriend, I want to take revenge, take his skins" and many other variations. All of these messages contain a fake Steam trade URL (phishing website), which either contains a misspelling of "Steamcommunity" or the domain TLD at the end is different, or both.

  • Voting for players or teams: the scammer will send you a link to a website and asks you to either vote for his CS2 team or him as a player or something along those lines. Those links are phishing links or links to malware.

  • Fake Teamspeak software or anti-cheat software: the scammer will ask you if you want to join a team as a player. The message will contain a link to Teamspeak software or some kind of anti-cheat software, which is required from you by the scammer. All of these links contain malware.

  • Verifying, price checks, pattern checks: the scammer will ask you to either check the pattern, the correct price or some sort of verification of your items. The message will contain a link, which is a phishing link.

  • CS2 giveaways, crypto giveaways, jackpots: the scammer will send you a message claiming that you won a skin, some crypto, etc. and all you have to do is to claim it. All these messages have links to the scammer's phishing websites.

  • PayPal scams: the scammers will offer you to make cash trades with PayPal. They even offer to pay you first. After they paid, they charge back the money and keep your skins. Sometimes they're also just after your email to send you a PayPal invoice.

  • Crypto scams: the scammer made a fake crypto wallet website and tries to convince you to make an account there. He offers to pay first for your skins and will send you Bitcoins, ETH, etc. to your address. Since the entire website and the Bitcoins are fake, you can't withdraw anything, and lost your skins.

  • Fake lookalike CS2 items: there are two different methods when it comes to this scam. Either scammers will put worthless emoticons in the trade, which look like CS2 items. One example is the worthless Crown Emoticon which looks similar to the real expensive Crown Foil Sticker. A more dangerous and sophisticated method is that scammers make a game and get it on Steam. They will then create tradable items for that game, which (1) look exactly like CS2 items, such as knives and expensive skins and (2) have the exact same item description. The only way to distinguish them is the different game (not CS2) in the tooltip.

  • Expensive items hidden among worthless items: a scammer prepares and initiates a Steam trade with you, which includes a lot of cheaper items (these can be very cheap Steam backgrounds, trading cards, emoticons, very cheap CS2 items, etc.), but then also adds one or two very expensive items of yours among the cheap items. These trades are either discussed before between you, or the scammer sends a trade without prior discussions. What the scammer is hoping for, is that you don't check the offer with the necessary attention, overlook the valuable items, and accept the trade.

  • Top of Google search results: some scammers actually pay for Google ads to appear on top of Google search results with their phishing websites, for a given search term. For example, if you search for "Skinport", their website might appear above the real website at the very top, if you don't have an adblocker. Their website names are also usually very similar to the real websites (either misspelling of the brand or the TLD is different).

  • Buying something from the Steam market: the scammer has some CS2 items in his inventory. He will tell you that he is leaving CS2 for another game (such as DOTA) or a similar story, and that he is now looking for a specific item which is listed on the steam market, and he will show you exactly which one. The price of the item on Steam market is less than the CS2 items which the scammer has. His offer is: if you buy this item from Steam market, he will trade it for his CS2 items. This sounds like a good deal for you and you also believe that there is no risk, since the item will be in your possession anyways, even if there will be no subsequent trade. But here's the catch: this item is absolutely worthless and was listed by the scammer himself on the market for a very high price. Once you bought the item, the scammer gets the steam wallet funds which you spent and blocks you, and you're left with a worthless item and no trade.

  • Impersonation: fraudsters either impersonate Valve employees, Steam admins, some community admins and moderators, youtubers, streamers, known traders, etc. and either try to scare you or try to make you believe that you're dealing with a trustworthy and known person. In all cases, you will be asked to do some sort of trade. Another type of impersonation happens on Youtube and Twitch. Scammers make channels with names of pro players and teams. They buy thousands of fake viewers to appear on top of search results, thus gaining some real viewers and show giveaways with a link, which is a phishing website.

  • Middlemen: scammers will chose a 3rd person as a middleman. They will choose different methods to make you believe this middleman is trustworthy (fake reputation, impersonation, etc.). This middleman is either another account of the scammer or his friend. Once you have sent your items to this "middleman", you lost your items.

  • Browser extensions: there are a lot of browser extensions out there which are made by scammers and designed to steal your credentials and scam your items.

  • Gambling websites designed by scammers: these websites either ask you to deposit a "small" fee, in order to withdraw expensive items which you just "won", or they simply steal your deposited items, or the entire website is rigged. In all cases, there is nothing to win and everything is fake.

  • Comments on your Steam profile: whenever you see comments from unknown people (usually private profiles or private inventories) on your steam profile with comments such as: "add me please I have something important to tell you", "add me, I have an interesting offer", or similar comments, these are all scammers trying to get in a private steam conversation, where they can execute their scams and send their phishing links.

  • Switching items in trades: you agree on a specific trade. The scammer either has a similar looking item which he switches for the agreed item, or he has the same CS2 item, but with a worse or lower priced wear value, and switches that item. These are usually done with counteroffers, but sometimes scammers quickly trade away the pre-agreed item away to another account and you make the trade yourself, not paying attention and realizing that it's another item you're choosing on his side.

  • Spamming empty offers: some scammers send thousands of empty trade offers to a lot of people, where their side of the trade is empty and the victim's side has items, hoping that some of them accept the offer by mistake. Basically a numbers game.

  • Stolen funds in Steam market: whenever someone offers you to buy your cheap items for high prices on the market and transfer some funds to you this way, be sure that those funds are not stolen through credit card fraud and other fraudulent activities.

  • Sharking: some people search for inexperienced traders or new players to get their expensive items way below their value in a trade. The victim's items usually either have special patterns, very low and special float values, and/or are items which aren't listed on the Steam market anymore, due to being worth more than the max. steam market price cap. Sometimes the scammers try to convince victims that their own items are much more valuable than they actually are (they overprice the stickers on their guns, etc.). In all cases, these people prey on the lack of knowledge of many CS2 players about certain details of CS2 skins. This practice is called sharking.


The specific case of the infamous API scam

You've probably heard about API scams, but maybe you don't really know how it exactly works. It's also helpful to know that many, if not most of the current phishing attempts and angles scammers use to target victims, are related to API keys, one way or another. So understanding the concept is important.

Steam Web API is intended for website developers, and its use requires an API key. The problem is that currently every Steam user can easily generate an API Key for their steam account without any verification (this might change in the future, if Valve finally realizes the risks associated with it, for normal users).

Here's how API scams work:

  • Preparation: The scammer has already gained access to your Steam account, by stealing your credentials through one of the scam methods mentioned earlier in our post. The scammer can now generate an API key for your account and manage all incoming and outgoing trade offers through this key. The only problem the scammer has, is the mobile phone confirmation, which can only be done by you. Therefore, the thieve's final task is to somehow trick you into confirming a fraudulent trade.

  • Execution: The scammer either waits for some sort of trade, purchase or sale between you and another user or a legitimate third-party website and their Bots, or he actively tries to get in touch with you and get you to interact with a known website you know and use. As soon as a legitimate trade is initiated with your account, the scammer automatically and immediately cancels the legitimate trade-offer, copies the profile of the real Bot/user, and replaces the real offer with the fraudulent one, in an automated fashion with scam bots. Since this is done very quick and automatically, you don't realize that the real offer was canceled and you accept the fraudulent one with your phone and lose your items.


Could your Steam account already be compromised?

You've learned that your Steam account could already be hijacked, without you even being aware of it, and that a scammer with access to your account, could just be waiting for the perfect time to strike instead of alerting you too soon by changing your profile or password. It all depends on the scam method the scammer chooses to try on you. Maybe you remember something strange such as logging-in some sketchy website in the past, or you had an unknown browser extension installed, but didn't pay much attention because nothing happened till today. In any case, if you're not sure about the state of your Steam account, then you should definitely consider doing all the steps mentioned below. If you choose to do so, then proceed in the exact order listed and do them all quickly in one session. Also note that some steps like changing passwords could cause some short trading cooldown which you have to accept for the sake of safety.

  1. Scan your PC for viruses, malware, keyloggers, etc. and uninstall suspicious browser extensions before doing the below steps

  2. Change the password of the email address which is associated with your Steam account, especially if you used one password for both. Also check https://haveibeenpwned.com/ to see if your email and its password were ever leaked

  3. Under 'Account Security', change the password of your Steam account (Choose a new and strong password, and make sure it's not the same one as your email)

  4. Click the last point: 'Deauthorize all other devices' (If you see suspicious log-ins from devices unfamiliar to you, your account was probably compromised). After this step, you will have to log-in Steam again from the devices you use

  5. Click 'Revoke my API Key' (If you see an API Key after clicking this link, and you never generated an API key yourself, then your account was already compromised. If the field was empty, you don't need to do this step)

  6. Under the last point 'Third-Party Sites', click 'Create New URL' (if you used third-party websites where you saved your trade URL and/or if you trade with others, you will now need to update the website and your trade partners with the new URL trade link, which you created)

  7. This last step is optional, but could be helpful in some cases: read more about Steam's 'Family View' option. It offers some additional tools such as a PIN code, which could help you secure your account even more efficiently against unauthorized access, if you set it up correctly.

After successfully gone through these steps, you will basically have a fresh and clean start. Follow the 20 scam prevention rules from now on, and you should be safe going forward.


What to do if you already got scammed, and how to take down scammers?

Sometimes the damage is already done, you got scammed and traded your items away to a scammer. What now?

  1. Do all the steps mentioned in 'Could your Steam account already be compromised?'

  2. Visit the Steam profile of the scammer, at the top right click 'more', choose 'report violation', choose 'attempted trade scam' and submit the report with all the proof you have. Note: you can do this for any attempt of scamming (whether successful or not)

  3. Read this page about stolen Steam accounts and how to recover them in case you can't access your account at all.

  4. In very serious cases, calling your local police for assistance, reporting the theft and maybe even consulting a lawyer, is an option as well

The following steps are helpful, even if you didn't get scammed

  1. Report any phishing website you find to google with this link

  2. Report any source containing malware to google with this link

  3. Report the domain name of the phishing websites to the registrar (use Whois services to find out details, the domain names are usually protected by privacy services, but you can still report such phishing websites to the domain name registrar)

  4. Report the scammer to Steamrep.com with the required proof

  5. Share the information with your friends and tell them to block the scammer

  6. If you encountered the scammer in communities such as discord, reddit, groups, etc., report them to the admins and moderators, so that they can get banned on those communities


If you've made it this far, congratulations. We hope our guide will help you to secure your account and deal with fraudsters.  Stay safe.