We've put together this guide to help you understand API Keys, how to prevent a scam or how to proceed if you ever do fall victim to a scam. We hope it helps!

As you know, CSGORoll practices P2P trades. From time-to-time (and alongside every other 'trading' site), we receive messages from users explaining that their items were sent to someone else, or the trade wasn't completed as fairly intended. Luckily, we can quickly spot any issues in trades by exploring our users API Keys.

Scammers are *always* looking for new ways to take advantage of users. And the most popular method is the infamous API Scam. But, what is it?

The API is a popular development tool employed by multiple websites to assist users with their trades. It's been in effect since the CS:GO 7-days trade ban. Unfortunately, scammers have found sneaky ways to manipulate access and trick users in to trading their items. These scammers impersonate profiles using advanced bots. So, to the less-experienced eye, the bots appear to be 'real' accounts. Brace yourselves, here's the tricky bit!

How does the API Scam work?

During a trade, you must complete the following steps:

1. Send the trade offer
2. Confirm via your mobile device
3. Wait for the other party to accept.

The API Scam occurs during Step 2, when users are prompted to confirm the offer. Using access to the API Key, scammers cancel the offer you sent, clone the trading partners profile (using the same name and profile picture!) and send a counter-offer for your item.

You can only spot the difference if you know what you're looking for! But, if you accept, the damage is already done. We said it was tricky!

Take a look at the images below...

Can you spot the difference? Although the information appears the same, it isn't! The Steam profile Level and registration date are different! Voila, you've spotted the scammer. If you want to go even further, take a look at your trading partners profile to see how it differs from the moment you sent the offer.

Remember to also inspect the authorization window by ensuring the login URL is https://steamcommunity.com/; any link that does not match this URL is likely deceitful and will lead to your API key being accessed by attackers.

Always ensure you verify the website address instead of relying solely on reading it, as there are numerous characters that closely resemble the "legitimate" ones, making it easy to misinterpret. It's advisable to consistently access Steam through trusted sources such as the official homepage, Wikipedia, or other reputable sources and then log in.

Another method used for account theft involves malicious browser extensions or software that mimics your browser session. Recently, there has been a surge in counterfeit open-source software, like OBS, containing malware. Be cautious of such threats.

I was scammed, what do I do now?

We're sorry to hear you fell victim to this scam. We know how annoying it is! To stop this from happening again, you *must* take the necessary safety measures to ensure your account is safe.

• The most important step is revoking your API Key:

Refresh your page. If the API is gone, they shouldn't have access to it anymore. But for extra safety, you can also do the following:

• Create a new trade URL:

• Change your Steam password and repeat the previous steps. This is the safest option, but your trades will be blocked temporarily after you change your password, following the Steam trade policies.

Deauthorizing all other devices will allow better protection for your Steam account after an API Attack. Here are the steps to follow on the Steam client or directly from their website:

1. Open the settings -> Security
2. Select Manage Steam Guard Account Security OR Manage Steam Guard
3. Click “Deauthorize all other devices”

Now the only person logged into your account is you. Users who have enabled Steam Guard on their Steam Mobile app will be able to see the information about devices that have access to their Steam account.

By implementing these changes, the scammers will no longer have access to your account to generate a new API, nor to your trading partner to send a counteroffer.

Important questions about API Scams:

• Can I spot the scam before it happens?
  Yes! There are a few simple steps you can take to spot a scam. It's best to wait a few moments before accepting the trade on your Steam Authenticator. And make sure you check if your original trade offer was cancelled on Steam. Additionally, inspect the authorization window by ensuring the login URL is https://steamcommunity.com/. Also, pay close attention to your trading partner's profile registration date, name, picture, and level - does it match the original account you sent the offer to? It's better to be safe than sorry, after all!
  
• How did the scammer get access to my API Key?
  Usually via phishing websites and third-party browser extensions. You may have opened a notification/message claiming you earned big deposit bonuses, or clicked a Google AD link that was in actual fact a fake page. Take care to ensure that you never link your Steam account to a website you're unfamiliar with. Taking a few extra minutes to carry out research is worth while, trust us!
  
• Can the scammers steal my account with this access?
  No. The API Key will only give scammers access to your activity log. They can view or cancel your trades, but they can't take control of your account or steal your information. All in all, this does depend on the scam method you fell victim to. So it's really important that you follow the above tips for extra safety!
  
• I got scammed on your site, are you responsible for it?
  It is not the fault of the site you were trading on. As we've explained, these scammers would have had access to your Steam account already. So for that reason CSGORoll, or any other similar site, cannot take responsibility for the scam.
  
• I've been scammed, can I use the API Key again?
  Yes, as long as you follow the above steps to secure your account before trading again.

We hope this guide helps you keep your account safe! And most importantly, prevent scams before they happen. Make sure you follow the steps as laid out above, and share the guide with your friends to guarantee safe trades for all!