What is a CS2 Scam?
Items in CS2 have significant real-world value. You can sell and trade your skins for actual money, whether in fiat or crypto. So, just like any other item in the world that has a monetary value, numerous attempts are made to illegally steal and hack skins by phishing, brute-force, and social engineering attacks.
These attempts are defined as CS2 scams. Generally, CS2 scams involve a direct approach to the victim, where they may be phished to click on a fake link, socially engineered to trade their items away or have their Steam credentials or API key exposed in one way or another.
Why Are CS2 Scams So Common?
We’re going to go into meticulous detail on the kind of scams you can expect nowadays, alongside how to spot them from a mile away so you can keep yourself and your account safe.
CS2 scams are quite common because they are easy to pull off due to Steam’s lackluster security and lack of awareness among most players. CS2 has a lot of younger players who are susceptible to social engineering scams and fake websites as they tend not to be aware of them.
Consequently, since Steam has only recently employed measures such as 2FA and Steam Guard, there is still an abundance of botted and hacked accounts that can send players pretty convincing messages and links that can cause them to click on something they definitely shouldn’t.
Lastly, the value of CS2 items can be high. There’s a big incentive for scammers to spend copious amounts of time trying to conduct scams in CS2, which has amassed a large player base and therefore potential targets.
While Steam does its level best to ban accounts that are linked to scamming, they aren’t nearly quick enough, and items are often cashed out before the perpetrator is caught.
Who Are the Targets of CS2 Scams?
Individuals with high-value public CS2 inventories are generally targeted victims of CS2 scams. However, even players who may not have the most expensive of inventories can be victims to botted scams, such as a Steam account mass-messaging all players in their friends list with deceiving links in the hopes that someone clicks on them.
So, no account is safe from a CS2 scam. However, the more expensive your inventory, the higher your chances of being targeted by more believable and hard-to-identify links and scams that can trick you.
We’ll cover all the scams to help you become more careful and vigilant, empowering you to protect yourself from them.
Different Types of CS2 Scams
CS2 scams generally follow the same pattern but hide themselves in different ways. They either ask you to trade your items for a ludicrous incentive or try to get your username and password so they can log into your account and trade your items on their own.
Sometimes, they will try to get their hand on your Steam API key, allowing them to create fake, identical trades that you may end up accepting.
Fake Websites
Scam CS2 sites are currently rampant on all popular search engines like Google and Bing. They disguise themselves to look legit, faithfully emulating the UI of a more popular site in the hopes of luring people in with a deceivingly identical URL.
Let’s take an example—let’s assume there’s a totally legit site with the following domain name:
tradeincs2(dot)com
Now, this is a completely legit, verified site that you should have no issue using. However, a scam site might be labeled something like:
tradeincss2(dot)com
tradeincs3(dot)com
tradeinncs(dot)com
tradeincs2(dot)co
Notice the subtle differences between them? There’s either an extra letter, a typo, or a different domain. While you will be able to quickly identify these changes if you are paying attention, if you randomly click on this link from a social media site or from a search engine, the difference might elude you.
On these sites, you’ll be greeted with the same menu, UI, and features. But, if you log in with Steam to these accounts, you’ll give these scam sites access to your inventory.
Before CS2 was released, Valve issued a warning for players to not register on sites that promised access to the CS2 early access beta as all of them were fake and were trying to get you to log in via Steam to their site.
Nowadays, most websites use black SEO to try to rank on top of legit websites for certain keywords. Therefore, always double-check the domain of a site if you’ve clicked on it from a hyperlink or a search engine query.
Phishing Emails
Phishing is the act of disguising yourself as a verified entity to try and get authentication information from a user. When you aren’t sure of how to scam CS2 items, emails are perhaps the easiest way to get information from a user, as it usually catches them off-guard.
The types of phishing emails vary. Some may have you input your personal information to confirm shipping for an item that doesn’t exist, verify your PayPal account, or copy a fake email from Steam requesting you to urgently change your password by inputting your old one.
They’re always sent from addresses that resemble official emails. For example, take a look at this scam PayPal email:
Here, the email itself is sent from PayPal and is legit. However, the scammers are exploiting PayPal’s estimate system, and by clicking on the estimate, you’d inadvertently pay the scammer a certain sum of money.
No matter how legit it seems, do not click on any email you aren’t able to trace or that doesn’t resonate with your own actions. For the sake of being safe, email the support service of that company to confirm whether the email you just received is genuine.
Steam API Key Scam
Your Steam API key is used to initiate and decline trades for you, alongside letting legitimate websites monitor your inventory and current transactions. If an attacker gains access to your Steam API key, they cannot confirm trades for you—unless they have access to your email or mobile application if you have Steam Guard, which is generally not the case.
However, if you do accidentally share your Steam API key, scammers will immediately monitor the trades that you are making. This will enable them to intercept a legitimate trade, for example, selling a CS2 skin for $50 to a certain site, then cancel it and issue a new one. This new trade will be identical to your trade in every single way except it’ll have a different recipient: the scammer’s account. If you aren’t careful and don’t double-check the bot account’s name and ID, you’ll ultimately accept the trade, causing your item to go to the scammer’s bot instead of the intended bot.
API Key scams are particularly dangerous because they don’t make themselves immediately obvious. Even if you do click on a scam site, it may be months before you are actually attacked by the scammer—they may wait for the perfect opportunity.
Fake Match / Tournament Scam
Not as common as it was before, thanks to better antiviruses, but a fake tournament scam makes you download an anticheat that’s required for you to participate in a particular tournament. This tournament does not exist, and the anticheat you downloaded is a trojan horse or a keylogger meant to take your Steam session data or steal your passwords and usernames.
If you want to play in a particular tournament, just have your friend invite you via FACEIT. Do not click on any extraneous link.
Man in the Middle Scam
The scammer will offer you an extremely lucrative deal for a CS2 item or any other item that may be in your inventory. They’ll not initiate a trade with you; instead, they’ll ask you to list your item on a legit trading site.
Since you have no reason to doubt that trading site, you’ll make the listing. However, the scammer will send you an identical trade offer, disguising themselves as the bot before the actual site sends you a trade offer. Taking advantage of that window, you’ll have probably let your guard down and will accidentally accept the fake trade, causing you to lose your items.
Ads Scam
An extension of a fake website, an ad scam is where scammers game Google or any other search engine or social media site’s AdWords by disguising themselves as a legit trading site with a similar name and placing themselves at or near the top of search engine results.
If you aren’t careful, you’ll be led to a scam website that has an identical name but a slightly different domain, leading you to get scammed with a trade offer or by having your Steam API key exposed.
Take a look at this image for example:
Here, we can clearly see that the advertiser is DMarket Inc. The scammer has used the DMarket marketplace brand to launch a fake scam ad. Checking out the correct name of the marketplace is crucial to determine if there’s anything fishy going on.
How to Avoid CS2 Scams
With all these CS2 scam sites running rampant, you need to be very vigilant and proactive. Here are a few ways you can avoid CS2 scams to ensure your items remain safe:
Only Trade on Reputable Websites
Websites like DMarket have solidified their reputation over the years as bastions of security, privacy, and trust. So, pick CS2 trading websites and middlemen that have positive reviews on Trustpilot and other community forums. There is no reason for you to choose a new trading platform that has little to no reviews, especially if the deals seem extremely lucrative. When trading, do not go for deals that seem a bit too good, as there’s a high chance that they’re scams. Go for trading platforms that are vetted, used by many, and have solid years of experience behind them with proper customer support teams and staff with a real social presence.
Use Strong Passwords
You should never have the same password for all your email accounts, your Steam accounts, and so on. Every single password should be different, even if they are variations of each other. Opt for a strong password so that it can’t be randomly guessed or brute-forced by an attacker trying to get into your accounts.
We recommend using a password manager as they create passwords for you, store them, and let you know if any of them have been compromised. Plus, you’ll just need to remember one secure password instead of multiple.
Use a Secure Connection
Using the public internet in a coffee shop or an airport to execute trades or log into your bank account isn’t the smartest idea. While connections are encrypted, there are multiple ways a targeted attack can intercept your session data, hijack your cookies, or just sniff your packets to get your username and password.
Therefore, when performing more sensitive operations, make sure you use a secure, encrypted internet connection—preferably one that isn’t accessible to the general public. This helps ensure that no one in your own network connection performs a Man in the Middle Attack or sniffs your packets and session data.
Plus, make sure that you are always using the HTTPS protocol and not HTTP when accessing a site. Otherwise, there’s a chance that your unencrypted data can be intercepted by an attacker and used to emulate your session.
Use 3DS for All Payments
3D Secure is a protocol that is quite similar to 2FA. This protocol has you confirm every single transaction you make with your credit or debit card with a temporary numerical code sent to your phone number, your email, and in some cases, your mobile banking application.
Just like 2FA, this helps add an extra layer of security between your credit or debit card being skimmed or used maliciously. This way, if someone does somehow get your credit card information, they’ll still need access to an OTP to be able to perform a transaction with it.
Naturally, you should never give your OTP to anyone since even your bank will never ask you for that code.
Be Careful of Who You Trade with
Whether it’s a bot, a site, or a friend, always make sure that you are trading with the right person. When confronted with a trade offer, always double-check the Steam ID of the bot or the friend to make sure it matches with the real one.
Do not accept trades in your mobile application immediately. Take a breath, inspect the actual contents of the trade, the name of the bot, the IDs, and when you are absolutely sure that this is the right trade offer, only then should you accept the trade.
If someone’s rushing you into accepting a trade, or if a trade seems too good to be true, there’s a high chance that it probably is. So, always use your common sense to ensure that you don’t get randomly scammed into an illegitimate trade offer.
Be Wary of Unsolicited Emails
Using your common sense when it comes to skimming emails that turn out to be scams goes a long way. No, you probably haven’t won a million dollars from a random lottery. Before you click on any random link, take a close look at the sender and make sure to check the subject and the actual link present in the email before clicking.
You will never get an official email from a Gmail or a random Yahoo domain. They’ll always come from the actual domain of the site. Plus, if you feel like an email is even slightly shady, do yourself a favor and don’t even bother opening it.
Always Use 2FA Wherever Possible
Two-factor authentication ensures that even if someone has your username and password, they will need access to your device or email to be able to log in to your account or execute a trade. You should also set up 2FA on your email and enable Steam Guard, alongside using the feature wherever possible.
Most devices tend to remember your session data and don’t ask for your 2FA code constantly when you try to log in. However, if an unidentified device tries to log in, 2FA acts as an immediate safeguard that helps add an extra layer of defense against scam attacks.
Use a Trade Intermediary
A trading intermediary or a middleman helps iron out some of the issues that you may experience while trading directly with someone you don’t want to trade with. You can use a platform like DMarket to act as an intermediary, where your items are released when the trade is made successfully on both ends, and there isn’t any chance of a scam.
I Got Scammed on Steam, What Do I Do?
If you have just been scammed on Steam and you have lost your items or are under the impression that your account has been compromised, here are the steps that you should immediately follow:
- Change Your Passwords: If you can log in, you should immediately reset/change your Steam password and do the same with the email account associated with your Steam account.
- Revoke your API Key: Once an account is compromised, whether you fear that your API key has been stolen or not, it is good practice to revoke it, just in case. You can do so by heading to Steam’s official API Dev key link.
- Contact Steam Support: You may have a slight chance of getting back your items or at least getting your account locked down if you have just been scammed. Therefore, be proactive about it and immediately contact Steam Support so that they’re aware of the situation.
- Reset Your Steam Trade URL: Just like your API key, your trade URL can be used to make trades. While they will require your approval if you have Steam Guard enabled, you should immediately change it by heading to Steam’s Trade Offer link and clicking on Create New URL.
- Deauthorize All Steam Guard Devices: Log in to your primary mobile device and head to the Steam Account Details page. Once there, select Manage Steam Guard and then select Deauthorize all other devices.
Conclusion
API scams in CS2, and general CS2 fraud, are running rampant nowadays, especially with the value of items feeling so inflated. So, make sure to always stay on your toes and keep your account safe from any scams or suspicious activity by always using trusted sites, not opening random links, and double-checking any trade offer that seems too good to be true.
With the right mindset and proper checks and balances in place, you’ll be able to keep your inventory and account free from any malicious scams. Make sure to always use trusted platforms when trading to minimize the risk of your account being compromised.