The site looks exactly like Steam - how can it be fake?

Attackers hotlink CSS and artwork from legitimate CDNs while hosting the credential form on a look-alike registrable domain. Read the host name and certificate, not the logo.

I already entered my password - what now?

Change the password from an official Steam domain on a clean device if possible, revoke web sessions, review Steam Guard devices, and harden the mailbox.

Should I install a browser extension that auto-blocks Steam scams?

Only install extensions from trusted vendors with audit history. Malicious 'security' extensions have exfiltrated cookies before.

They asked for password and Guard code on one page - is that normal?

Legitimate Steam flows do not harvest both on random third-party hosts. Close the tab and open the Steam client manually.

Is it safe to inspect a shortened redirect link?

Redirects hide the final domain - avoid clicking; type steampowered.com or steamcommunity.com yourself.

What should stream moderators do?

Use chat rules snippet generator and channel points redeem spec for consistent canned replies.

Where should I report phishing domains?

Notify your registrar/host if you control infrastructure, and Steam Support with URLs and timestamps so blocks propagate.

Does this article replace Steam Support?

No. It is practical signal guidance; inventory theft still requires official tickets.

Fake Steam logins: quick signals and safe responses

Attackers steer you to pages that borrow Steam CSS so the UI feels legitimate while the form POSTs to a criminal server. Your job is to starve the form: verify the domain, slow down, and coordinate response with Steam Guard literacy.

Official entry points live on steampowered.com and steamcommunity.com. CDN static hosts are fine for images - but not for typing passwords on random registrable domains.

High-signal red flags

Domain and TLS

The credential host is not an official Valve domain for login.
Browser TLS warnings - do not click through "for the tournament."

"Tournament admin," "trade hold removal," or "VAC check" timers under a minute.
QR codes in Discord/Telegram that open unexpected login flows.

Common misconceptions

"HTTPS padlock means safe" - no; attackers obtain certificates too.
"My friend sent the link so it must be fine" - their account may be compromised.

If you already typed credentials

Change passwords from the official domain only, invalidate web sessions, audit Guard devices, and rotate mailbox credentials if resets could pivot.

Streamer workflow

Moderators need canned responses. Chat rules snippet generator standardizes "no outbound Steam links from fresh accounts," while channel points redeem spec documents safe automation boundaries.

Pair with Steam Guard literacy

Read Steam Guard basics so your community understands why random approvals are dangerous.

Aftermath inventory

If inventory moved, open an official Steam support ticket with timestamps. Third-party "recovery brokers" are fraud.

Who faces the highest phishing risk

Traders with high-value inventories.
Players who log in from shared PCs without signing out.
Users running many convenience browser extensions.

FAQ

The site looks exactly like Steam - how can it be fake?: Attackers hotlink CSS and artwork from legitimate CDNs while hosting the credential form on a look-alike registrable domain. Read the host name and certificate, not the logo.
I already entered my password - what now?: Change the password from an official Steam domain on a clean device if possible, revoke web sessions, review Steam Guard devices, and harden the mailbox.
Should I install a browser extension that auto-blocks Steam scams?: Only install extensions from trusted vendors with audit history. Malicious 'security' extensions have exfiltrated cookies before.
They asked for password and Guard code on one page - is that normal?: Legitimate Steam flows do not harvest both on random third-party hosts. Close the tab and open the Steam client manually.
Is it safe to inspect a shortened redirect link?: Redirects hide the final domain - avoid clicking; type steampowered.com or steamcommunity.com yourself.
What should stream moderators do?: Use chat rules snippet generator and channel points redeem spec for consistent canned replies.
Where should I report phishing domains?: Notify your registrar/host if you control infrastructure, and Steam Support with URLs and timestamps so blocks propagate.
Does this article replace Steam Support?: No. It is practical signal guidance; inventory theft still requires official tickets.