OPSkins prides itself in being the safest and most trusted marketplace for trading in-game digital items.
Lately there has been a new wave of phishing sites that have been using Google Adwords to target our customers and then scam them through their Steam API Key. It’s a sophisticated scam and impossible for OPSkins to prevent because it involves phishing sites and Steam logins – the scammer never actually comprises the victim’s OPSkins account (although they may still have access to it if you don’t have 2FA enabled on your OPSkins account). Regardless, we want to make our customers aware of it so they can be extra vigilant in protecting themselves from this Steam API Key scam.
How the Steam API Key scam works:
- A victim Googles “OPSkins” and the first search result is a phishing site that is advertising with Google AdWords to ensure their listing appears at the top of the search results page. While at first glance these search listings might look legitimate, upon closer inspection the addresses are not correct OPSkins URLs (below we explain how you can distinguish a fake OPSkins URL from a legitimate one).
- The victim logs into the phishing site.
- The scam site operator now has access to the victim’s Steam login credentials, which they use to then log in to the victim’s Steam profile.
- The scammer retrieves the victim’s Steam API key through their Steam account. This key has a lot of power including trade offer history, the ability to cancel trades, etc. See the full list of functions supported by the Steam Web API here.
- The scammer then waits for the victim to trade on OPSkins, possibly contacting them to initiate a trade.
- The scammer then cancels the legitimate trade and changes their Steam username to match the OPSkins bot name so that the victim thinks they are trading to an OPSkins bot.
- Since the scammer can see the victim’s trade history because they have access to their Steam API Key, the scammer then sends the same trade offer to the victim.
- The victim then confirms the offer because they believe it to be a legitimate trade to an OPSkins bot.
- The victim has unknowingly sent a trade offer to the scammer, losing their items.
We are working with Google to have these phishing ads removed as soon as they’re discovered, but unfortunately we often only become aware of them after a customer has already become a victim of the Steam API Key scam. We have a process for reporting these to Google AdWords but it can sometimes take a few days for them to investigate and remove the URL.
How to protect yourself from the Steam API Key scam:
One way you can help protect yourself from the Steam API Key scam by learning to tell the difference between a real OPSkins URL and a fake OPSkins URL.
The ONLY legitimate OPSkins websites are ones that end in opskins.com or .opskins.com or opsk.in
Examples of legitimate OPSkins websites are:
- opsk.in/ (This is the URL to our link shortener)
Scam sites often have a phrase or characters before or after .opskins.com
Examples of scam websites impersonating OPSkins are:
As you can see, none of the above scam links include .opskins.com or opsk.in. At first glance, they appear to be OPSkins and since they are advertising through Google AdWords, they appear first in some search results.
How you can help OPSkins fight the Steam API Key scam:
Here are the ways you can help us fight this Steam API Key scam and prevent yourself and others from falling victim to it, as well as other less common scams:
- Be extremely vigilant. Bookmark OPSkins.com so that you know you’re visiting the correct website and not a scam site.
- Check for the green OPSKINS GROUP INC. [CA] in your browser search bar to the left of the opskins.com URL. If it’s not there, don’t log in.
- If anyone ever contacts you on Steam or through other means asking you to list your item for sale, they are attempting to scam you. There are no exceptions to this. They are contacting you because they have already targeted you based on your activity on their phishing site.
- If anyone ever contacts you asking you to log in to a website to verify the float value or pattern index on your item before accessing OPSkins, this is a scam. There are no exceptions to this. This is a phishing attempt.
- Report phishing URLs to OPSkins Customer Support so that our fraud team can report them to Google. Please include the following information:
- Right click phishing link > copy link address
- The URL of the Google search
- Screenshot of the scam ad
- Revoke your Steam API key if you think it might have been compromised here.
- If you have no use for the Steam API Key, revoke it immediately here.
- Enable 2 Factor Authentication on your OPSkins and Steam accounts
- Don’t trust anyone who contacts you claiming to be an OPSkins staff member. No one from OPSkins will ever add you on Steam, and/or ask you to trade an item. Our Customer Support department will only contact you regarding your account through our Support Ticket system.
- Check to make sure you’re trading with an OPSkins bot. When trading with a bot, check your security token and click the bot’s name to open its profile. From there, make sure that the bot is in the “OPSkins Bots” Steam group. The official OPSkins Bots Steam group is named exactly “OPSkins Bots” and has an abbreviation of “op-bots”
- Do not download any OPSkins browser extensions. OPSkins doesn’t have any official extensions, and so any that you see are most likely intended to scam you out of your items.
- Steam has also created a guide to protect its users against trade scams here: https://support.steampowered.com/kb_article.php?ref=3415-WAFH-6433
Please be advised that OPSkins support staff is available 24/7 to answer any questions that you may have about this Steam API Key scam or other scams. Our support ticket response time averages less than two minutes. We are always here to help you keep your account safe. Please also be advised that OPSkins cannot restore any items or funds that were lost as part of the Steam API Key scam, account hijacking, or other scam. The security of your Steam account and OPSkins account is ultimately your responsibility. If you have any questions, you can always contact us by making a support ticket.