This phish starts out from a screenshot comment asking you to add them on Steam.

After you add them they will give you a made up story about how you are about to get banned if you don’t act quick. Adding pressure to act quickly is to lower your defenses because it’s urgent and maybe a little bit scary, giving you no time to think twice before acting.

The profile page, weemahn, they linked goes to a profile page which has the badge Valve Employee showcased on their profile.

That cannot be faked on a real profile page where the link forward me to. The only problem is that the profile page is manually set to display friend list full message to stop Steam users from sending friend requests and as an alternative point of contact given is Discord user, weemahn#4051, which is using the same display name as the Steam profile.

On Discord they ask for you to provide a screenshot of the previous chat that you had in Steam with that “other person”, Whip Hand in this case. They pretend to check Valve backend for reports and account data to establish some trust. They will now ask you to log out from your Steam client and mobile phone application.

Then they will ask for another screenshot, this time your recent purchases list and also mentions that it should contain your Steam username. Once you provide the screenshot they will find a linked email address matching that username. Now they will ask the recovery code you will receive in your email from Valve so they can process a password reset on your Steam account. During this process they have selected that they cannot access the two-factor authentication codes on Steam Guard from the mobile phone application to bypass that security layer.

If you give the code from the email and aren’t logged in to Steam client it’s game over, they have gained access to your account and can lock you out by changing the password, email and add their own mobile phone to Steam Guard for your account.

How to avoid losing your account to this?

Never ever give these or anything else about your account to someone else, claiming to be support personnel, administrative personnel or an employee.

• Giving your username allows password reset attempts.
• Giving verification codes allows others to use them in your place, which never is recommended or safe even.
• Giving user account details in third party applications or unsafe places isn’t safe at all.

How would a real case with support personnel work?

• You would be contacted via Steam client itself and not chat, or at the very least email if all else fails.
• All further communication would be handled via support portal at https://help.steampowered.com

If by some rare chance you do get contact by via Steam chat then the contact person should have this badge on their profile page.

And volunteer Steam moderators have this badge. Note that they don’t work for Valve/Steam and you shouldn’t be giving any personal information to them directly.