The infamous API / Phishing Scam

This is a really common scamming method that affects a lot of people.

Phishing sites pretend to be other websites to trick you.

Sometimes the fake websites are legitimate looking, but they don't do anything else than to steal your Steam account login when you type it in.
Therefore, scammers do all that's in their power to get you to visit the fake website and login to it.

The most common methods are:

  • Someone added you on Steam and promised you free items or told you you won a giveaway
  • You followed a link someone posted on a Steam profile on a website that was supposed to be offering competitive CSGO matches/cups/tournaments
  • You logged in to some legitimate looking website that promised to analyze your inventory or to give you huge bonuses on case openings
  • A website "admin" added you on Steam to give you free skins or free coins to his website
  • You searched for a website you know on Google and blindly clicked the first option. Sometimes, scammers pay for Google ads for their fake website, and they show up ahead of the real website
  • ... and many other ways. Keep in mind that scammers are inventive and they'll do anything to get access to your account.

How does it work?

When you logged in, they automatically created an API Key for your account, which gives them future access to monitor the trades you make. They also have control over your account, as you gave them your username and password.
When you try to trade with a friend, or deposit an item on a website, they can see that and they'll try to trick you into taking your items.

  • They will cancel the original offer you sent, with the help of the API Key they created
  • They create an identical looking Steam account (name and avatar), that impersonates your friend, the website's bots or your trading partner
  • Because they are logged in as you, they will send a new offer with your items to the scam account, tricking you into believing it's the real account

When you confirm the offer with your Steam Authenticator, you are actually confirming the scam offer instead of the original one, and you lose your items.
This is why the Steam Authenticator alone doesn't protect you from this type of scam.

How to check if your Steam account is compromised

  • You can check if your account has an API Key active. If you don't remember creating it, you should remove it and secure your Steam account
  • When you confirm your trades from the Mobile app, you should compare the joining date and Steam Level of the two profiles. If it's not the same, you should decline the trade immediately and secure your Steam account

Keep in mind that having an API Key active isn't a 100% indicator that your account is compromised. Some marketplace websites or gambling websites rely on API keys in order to track your item sells and deposits.
Sharing your API Key is safe, just make sure you never share it with other users and only input it yourself when legitimate websites ask you for it.
With just the API Key, websites only have access to monitor and decline your your trades. The API Key alone is not enough for anyone to take control over your account.

How to secure your Steam account if you have been compromised

There are three easy steps you need to take in order to make sure your account is safe. Do NOT make any trades from your account unless you have completed these steps.

  1. Change your Steam Account Password
  2. Remove the existing API Key from your account
  3. Deauthorize all other devices from using your Steam Account

Optional: Enable 2Factor Authentication on your CSGO500 account to prevent scammers from logging in as you on CSGO500, even though they have control of your Steam account.
Optional: If you don't have 2FA already, deauthorize all other devices from CSGO500 as well by clicking on the Logout button.

How to stay safe in the future

The first step to protecting yourself better in the future is to acknowledge what happened and try to understand how you got tricked. Everyone makes mistakes, but it's important to learn from them and never fall victim to scammers again.
Start by identifying the way your account got compromised. Check your Steam Login History here and compare the timestamp to your browser's history.

Remember that this scam starts by you logging into a fake website.

Always stay logged in on Steamcommunity.com
If you're logged in on Steamcommunity and a website asks you for your Steam login credentials, it's a phishing website and you should avoid it.

What's a safe way to use CSGO500?

Don't fall for copycats
Our only active domains are csgo500.com, csgo500.io, csgo500.co, csgo500ru.comcsgo500tr.com and 500play.com

Bookmark us in your browser
By doing that, you can access us directly. CTRL+D (or Command+D) are the most common shortcuts to bookmark a page.

Apr 8, 2021

Contact Us

Not finding what you're looking for? Contact us directly