For several years now, there have been various criminals (Yes, these are by definition criminals) running various scams in Steam. Most commonly, these scams are intended to get you to give them access to your Steam account - so that they may then sell-off any Steam or game-specific "Items", and then also use your Steam account to further replicate the scam.

The conversations typically start fairly innocuous, but eventually lead to them sending you a web-site link ("URL" in techno-speak) to a web-site they control - which will then be used to trick you into entering your Steam login information and password.

This type of attack (attempting to get your login information) is known as "Phishing".

In particular for TF2, these conversations often seem like an attempt to recruit a new player into a competitive TF2 team. Further they often attempt to convey a sense of urgency - as if they need a new player immediately because of some up-coming competitive match or deadline for filling-out their team's roster.

Although I do not play TF2 competitively myself, I personally am on the receiving end of these "Phishing" attempts at least once per month.

What they are really after is not your TF2 playing skills. Instead, what they are interesting in is all your TF2 "items"! (and probably "Items" for other Steam games you may own).

NOTE: This type of scam is NOT limited to just TF2 players as targets. They can really target any players of multi-player games on Steam! TF2 is just the most common at the moment.

Once they get access to (or "compromise") your Steam account, they typically do several things with it:

• Change your password. So that you can not get into your Steam account yourself any more.
  
• Change the email address that your Steam account is registered to. Again, so that you can not get into your Steam account yourself any more.
  
• Trade all your TF2 "Items" away to another account, which they will then use to transfer them out to either themselves, fellow-scammers, or to sell them-off in the Steam Marketplace or elsewhere.
  
• Attempt to Phish all your Steam friends using your Steam account!
  
• Remove all your Steam friends - usually after trying to Phish them.
  
• Remove Steam group memberships - just to be nasty.

A real-world example from 2021-11-10:

• [9:26 AM] - Potential-Scammer:
  HELLO MATE
  sorry caps:3
  how are you?
  
• [9:26 AM] - Potential-Victim:
  hiya
  
• [9:26 AM] - Potential-Scammer:
  what is your Tf2 main and how main hours you have on it?
  
• [9:27 AM] - Potential-Victim:
  10,444 hours in TF2 (more actually, that's just since they started counting)
  
• [9:28 AM] - Potential-Scammer:
  wow
  thats a looot
  ok bro, tbh I asked cuz we need one more player in a highlander Tf2 tournament with 300$ prize pool, our teammate dropped us in last min and if we miss one player we get tech lose
  could you try?
  
• [9:29 AM] - Potential-Victim:
  sorry don't play competitively
  
• [9:29 AM] - Potential-Scammer:
  oh, ♥♥♥♥, sad to hear that
  but could you at least vote for my team? It would assist us and rise our rank on platform, it will take less than 1 min.
  
• [9:30 AM] - Potential-Victim:
  how's that work?
  
• [9:30 AM] - Potential-Scammer:
  we gain bonuses for every vote
  can you help with that?
  
• [9:31 AM] - Potential-Victim:
  maybe
  
• [9:31 AM] - Potential-Scammer:
  actually the game starts in 40 min and we have warm up session in like 20 min, does it suits for you?
  
• [9:32 AM] - Potential-Victim:
  no, working right now
  
• [9:32 AM] - Potential-Scammer:
  oh, ♥♥♥♥, sad to hear that
  but could you at least vote for my team? It would assist us and rise our rank on platform, it will take less than 1 min.
  
• [9:33 AM] - Potential-Victim:
  maybe
  
• [9:33 AM] - Potential-Scammer:
  I really appreciate it bro
  we are playing on that league
  {some-web-site-URL-here-CENSORED-for-safety}
  just enter and open the teams, and you can find my team, Repulse, on the 5th place, click View Details and Like to vote
  and please register with your steam name to know who is voting, ok bruh?
  
• [9:35 AM] - Potential-Victim:
  will check it out later.
  
• [9:35 AM] - Potential-Scammer:
  please dont forget
  its really important

To avoid this situation, there are several things you can and should do.

• Make sure the email address that your Steam account is registered to is current (i.e. you have access to it!). Update it as needed to make sure it is registered to an email account you have access to. Otherwise, getting back control over your Steam account later after getting hacked is going to be darn near impossible.
  
• Setup the Steam mobile app on your phone. It acts as an extra verification device for any trading transactions.

• Do not click-on web-site links (URL's) in messages from strangers.
  
• Do not click-on web-site links (URL's) in messages from Steam friends, without verifying that the message really came from them.
  
• Verify though some other outside means (such as e-mail or Discord) that the person you are talking to in Steam, is really who they claim they are - before clicking on any web-site links (URL's) they send you.
  
• Be skeptical of any web-sites that ask for your Steam login information.

If you have already clicked on that link somebody sent you, were prompted to enter your Steam login information, filled-it out, etc.

• Immediately change your Steam password. Make sure to pick a new password that is nothing like your old Steam password.
  
• Immediately verify what email address your Steam account is registered to, and if it has been changed by the scammer already - immediately change it back.
  
• If you don't have the Steam Mobile App installed on your phone, do it now - and sign-in on it.

• Panic! Seriously, all the games you bought through Steam and any in-game "items" you have ever had are at stake!
  
• If you can not login to your Steam account, contact Steam Support immediately. Time is wasting, tick-tock.
  
• Only Steam Support can help you.
  
• They can change the email address that your Steam account is registered to, back to whatever is what before.
  
• However, they will not change it to some other new email address you have.
  
• So, if you no longer have access to the old email address that you have your Steam account registered to - most likely, all they are going to do is permanently disable your Steam account so that at least the scammer hopefully gets no benefit from it. But, in that case, you will not be getting it back either.

Do not just let these scammers move onto the next potential victim.

Take these actions to help protect others.

• Report the Steam account. On the Steam profile page for that account there is a "report" feature. Select that, select option to report them scamming. When asked for details mention they tried "Phishing" (mention that word specifically), if you have a copy of the web-site link they sent you be sure to include that.
  
• Unfriend that Steam account.
  
• Block ("block all communication") with that Steam account.
  
• If you and they belong to any of the same Steam Community groups, notify the administrators/moderators of those groups. Otherwise, they may start posting their Phishing links there, or using that group's membership as targets.
  
• If you preserved that web-site link, report the URL to Google as a "Potential Phishing Site" (use that verbiage). The Google page for doing that is here[safebrowsing.google.com].