https://help.steampowered.com/en/faqs/view/70E6-991B-233B-A37B (steam scam FAQ)

https://help.steampowered.com/en/faqs/view/78E3-7431-1E88-AD59

https://help.steampowered.com/en/

You can open a ticket. You should have your son read some of the support pages about scams.

Ultimately aside from resolving this specific issue, making sure he learns how to protect himself should be the next thing on the list.

Nope.

The card number is probably already used and it's going to be difficult to prove that it was a scam vs. a gift, depending on context of course. But even so: a gift card can be used and then that's it. You can't go back on that.

Also... accounts don't get hacked on Steam but rather taken over aka hijacked, This is common when people use their Steam account to log onto other websites which aren't Steam. So you may want to make sure that this isn't the case, otherwise it's just waiting for the next incident to happen.

Does this URL list any entries for his account: https://steamcommunity.com/dev/apikey

... if it only asks for a domain then you should be safe. But if it contains entries then the account got compromised; then you want to remove all keys, de-auth all other devices and change the password.

This is some really great info! You are probably right I never thought to ask him if he used his Steam account to sign into another site. I'll check with him right away. And also to try that url.

If his account was hijacked, he may still have malware on his pc.
To secure account, he need to go through this list:

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
4. Change passwords from a trusted/clean device.
5. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
6. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)