During a trade, you must complete the following steps:

1 Send the trade offer
2 Confirm via your mobile device
3 Wait for the other party to accept.

The API Scam occurs during Step 2, when users are prompted to confirm the offer. Using access to the API Key, scammers cancel the offer you sent, clone the trading partners profile (using the same name and profile picture!) and send a counter-offer for your item.

You can only spot the difference if you know what you're looking for! But, if you accept, the damage is already done.

Take a look at the images below...



I'm trading with an unknown user, Steam Level 14 and registered since 20 January, 2018. Correct offer.



Accepting on my mobile, I'm trading with an unknown user, Steam level 6 and Registered since 3 January, 2021. Wrong offer.

Although the information appears the same, it isn't! The Steam profile Level and registration date are different! Voila, you've spotted the scammer. If you want to go even further, take a look at your trading partners profile to see how it differs from the moment you sent the offer.

To stop this from happening, you MUST take the necessary safety measures to ensure your account is safe.

The most important step is revoking your API Key:



Refresh your page. If the API is gone, they shouldn't have access to it anymore. But for extra safety, you can also do the following:

Create a new trade url.



Change your Steam password and repeat the previous steps. This is the safest option, but your trades will be blocked temporarily after you change your password.

By implementing these changes, the scammers will no longer have access to your account to generate a new API, nor to your trading partner to send a counter offer.

Can I spot the scam before it happens?

Yes! There's a few simple steps you can take to spot a scam. It's best to wait a few moments before accepting the trade on your Steam Authenticator. Make sure you check if your original trade offer was cancelled on Steam. Also, pay close attention to your trading partner's profile registration date, name, picture and level - does it match the original account you sent the offer to? It's better to be safe than sorry, after all!

How did the scammer get access to my API Key?

Usually via phishing websites and third-party browser extensions. You may have opened a notification/message claiming you earned big deposit bonuses, or clicked a Google AD link that was in actual fact a fake page. Take care to ensure that you never link your Steam account to a website you're unfamiliar with. Taking a few extra minutes to carry out research is worth while.

Can the scammers steal my account with this access?

No. The API Key will only give scammers access to your activity log. They can view or cancel your trades, but they can't take control of your account or steal your information. All in all, this does depend on the scam method you fell victim to. So it's really important that you follow the above tips for extra safety!

I hope this guide helps you keep your account safe and most importantly, prevent scams before they happen. Make sure you follow the steps shown above, and share the guide with your friends to guarantee safe trades for all!