Watch out for the Steam skin "free knife" scam

Watch out for the Steam skin “free knife” scam

Have you ever had someone run up to you in the street and insist you take their free knife? I hope not, because that’s a good way to wind up in a 60-minute police procedural drama. In video game land, however, anything goes. A certain type of scam is showing signs of activity at the moment and it’s likely to claim some victims before the week is out.

It involves, wait for it: someone digitally running up to you and insisting you take their free knife.

Free knife? What do you mean?

Many games on Steam make use of skins. These are fancy overlays of in-game items. You may not impress someone with your boring old default knife, or gun, or item of clothing. A rare graphical enhancement which makes said item look incredibly distinctive, however? Now you’re talking.

Skins are most commonly traded in-game. Sometimes they’re sold for virtual or real cash, although depending on the game, using real money may be against the terms of service. A few games have their trading systems deeply embedded into game platforms. For example, Steam has its own marketplace for transactions.

Are skins used in scams?

Oh boy, are they ever. One of the oldest scams around is skin phishing. The phisher will create a fake marketplace, or an imitation of a real game-themed lounge, or even just a fake user’s trading inventory page. Account compromise, and/or malware usually follows.

What does this particular scam involve?

It’s a tactic designed to scam people in the fastest way imaginable. What the scammer does can charitably be described as “minimal”. In short, they’ll send a message to potential victims on Steam or on services such as Discord. There are variations in messaging, but the essence remains the same.

“Yo, I don’t know you unfortunately, but this is for you, I do not need that knife [link]”

“I haven’t met you unfortunately (or not lol), but take it, I dont don’t need that skin [link]”

“G’day – I don’t need this bayonet just take it [link]”

Note the similarities in the first and second messages. It’s hard to say if the messages are manually typed out or automated, but we seem to be peeking at the typical indicators of a deliberate decision to try this tactic out.

Once the account is phished, the victim will have to go through Steam support to try and recover it. Accounts can have an awful lot of money tied to them. There may be thousands of dollars worth of titles bound to it. It may have hundreds of dollars in the user’s Steam wallet. There could be a ton of rare items, gifts, and other content sitting in the user’s Inventory page. Pretty much anything in there is at risk once the scammer gets their claws into the account, and account recovery can be rather stressful at the best of times.

How can I keep my Steam account secure?

Steam has a comprehensive list of security tips for its users. They include everything from phishing tips and general safety advice to account verification and two-factor authentication.

As for the free knives, bayonets, and anything else? Leave the mysterious strangers and their too-good-to-be-true murder objects to the crime dramas and keep that police cordon up around your Steam account.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.