This phish starts out from a profile comment you would like to see containing the phrase +rep.

The link you get if you add the person tries to look like a Steam address using the word Steam in it. And uses HTTPS protocol so web browser will mark it as secure.

But just because a website uses HTTPS protocol it doesn’t mean that it is safe. It simply means that the connection is established using encryption from your machine to the web server where the website is located at.

How to avoid losing your account to this?

Never login anywhere other than https://*.steampowered.com and https://steamcommunity.com using your Steam account.

If a website opens a pop-up style element try altering the address bar or dragging the element outside of your browser window, if you can’t do either then it’s just a website element and not a real pop-up. And that means that it’s not a browser window so the address doesn’t mean anything because it’s not a browser window. They could write anything they want there.

If you want to be extra safe login first on the real https://steamcommunity.com website and then go back to suspicious website. If you aren’t logged in there then you are not on the real Steam website. Like shown on the example picture below.

Omitted from screenshot is that it also shows your current Steam wallet balance in upper right corner and your real username between the display name Sign In button.