Fivetown is CSGO’s newest scam, and this is how it works

By Nick Johnson


Jan 18, 2021

Reading time: 3 min

A new Counter-Strike: Global Offensive scam is making the rounds on Steam. Here are the signs users need to watch out for.

It’s called “fivetown,” and it’s easy to fall for. A user gets a message from someone on their friends list saying “Hey, vote for my csgo team on fivetown – we just need two more votes.” Clicking on the link presents users with a website which asks them to log in to Steam, showing off a convincing looking log in page. If users don’t log in, they dodge the bullet.

But if they do, they’ll be sending the username and password to their Steam account to a complete stranger. 

Note: If this sounds familiar, Steam suggests that users immediately change their username and password to their Steam account and any connected accounts. After they do that, Steam recommends turning on Steam’s two-factor authentication. Instructions on how to do that can be found in this article or on Steam’s own support page.

How to avoid scams like Fivetown on Steam

It doesn’t seem as though the fivetown scam has reached the US, but people in the Netherlands, Sweden, Denmark, and other countries in Europe have all reported being targeted by the tactic. At the time of this publication, the site that scammers have been linking to has been taken offline. That said, there is still a lot for players to learn from the scam that was a hot topic in CSGO circles over the past two days.

As CSGO has become more popular, scammers have become more numerous. And while the messages on profiles and the “add me” comment spam can be annoying, it’s much less annoying than being hacked. fivetown isn’t the first CSGO scam, and it definitely won’t be the last, so users should take note of what it looked like and how they can avoid it in the future.

Blog post image

Step 1. Turn on two-factor authentication. 

This is by far the easiest way to avoid trouble. The process is simple, it’s run by Valve, and it only requires a mobile phone number. If players don’t have that, there is a less-secure email authentication option as well. It works by requiring players to enter a code every time they log in. That code is only sent to players once they enter their username and password, and it’s randomly generated every time. Steam Guard is a failsafe, and instructions on how to set it up can be found here.

Step 2: Don’t click the link

Links on Steam can be dangerous. Valve’s popular game client even gives users warnings whenever they click a link that will take them away from the Steam client or the online site. This is because it’s very easy to create a site that looks just like Steam’s login page. Luckily, there is an easy way to make sure that the site players are logging in to is actually the real Steam.

Steam will always show a “valid certificate” when users click on the lock button next to the website url.

Blog post image

Clicking on the “certificate” button itself will bring up more information. If any of this seem even a little suspicious, players can just close the window. Scammers most likely won’t be downloading anything to a user’s machine, so the greatest defense against scammers is to never enter a username and password into a website that they’re unsure about.

It’s important to remember that even if a user’s Steam account doesn’t have expensive skins or hundreds of games, it can still be targeted by scammers. While the end goal is always money, one compromised Steam account can be the gateway to hundreds of others through Steam’s friends lists. It’s much easier to convince someone to enter their login information if players think that the scammer is a trusted friend.

Remember, scammers have to ask for the information and players have to give it to them. The best way to avoid any type of scam on Steam is remembering that if it sounds too good to be true, it probably is.