This phish starts out from hijacked Steam account that I am already friends with, creating panic and sense of urgency. Those two are then used to fool the victim into giving personal details without thinking too much about it.

For example in this case the phisher wants to have screenshots. First one being innocent and contains no personal data and then the second one contains Steam username. And they simply use that username to initiate a password reset process.

If you give the code you are being asked it allows them to reset the password instantly.

The text formatting in both Steam and Discord are meant for code, which is why they differ from normal text chat. For Steam anyone can use that by inserting /code in front of the message.

For Discord you have to write your message inside these:

``

How to avoid losing your account to this?

Never ever give these or anything else about your account to someone else, claiming to be support personnel, administrative personnel or an employee.

• Giving your username allows password reset attempts.
• Giving verification codes allows others to use them in your place, which never is recommended or safe even.
• Giving user account details in third party applications or unsafe places isn’t safe at all.

How would a real case with support personnel work?

• You would be contacted via Steam client itself and not chat, or at the very least email if all else fails.
• All further communication would be handled via support portal at https://help.steampowered.com

If by some rare chance you do get contact by via Steam chat then the contact person should have this badge on their profile page.

And volunteer Steam moderators have this badge. Note that they don’t work for Valve/Steam and you shouldn’t be giving any personal information to them directly.