By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post

Ding! You get a Discord message from someone you know. Maybe it’s a gaming buddy, maybe it’s someone from a community server you both hang out in. The message is friendly, casual, and comes with a link or QR code promising a free $50 Steam gift card. Sounds like a nice surprise, and in this economy we can all use an extra $50, right? That’s a big ol’ nope from me.

This scam has been circulating on Discord for a while now, but security researchers are flagging it with new urgency in 2025 because the tactics have grown more sophisticated and the damage goes well beyond a lost gift card code. The fake link is designed to look like a legitimate Steam Community URL or QR code, but a subtle error in the address, such as an extra space or a misspelled domain (think stveam, steem, etc.) redirects victims to a phishing site that copies Steam’s design almost perfectly.  If you’re clicking quickly and trusting the source, it is easy to miss.

Steam gift card. Courtesy photo

Here’s the part that makes this especially tricky: the person who sent you that link probably has no idea they sent it. Hijacked Discord accounts distribute these links while the real account owner continues using their account normally, completely unaware their profile is being used to spread a scam.  The message isn’t from a stranger, it’s from someone you trust, which is the whole point.

The threat doesn’t stop at stolen Steam credentials, either. Security researchers note there is a high probability that phishing sites connected to these scams will also attempt to install malware, trojans, ransomware, or keyloggers onto your system.  Clicking the link is where the real damage begins. Meanwhile, a mid-2025 campaign uncovered by security researchers found that attackers have been combining these phishing techniques with multi-stage malware loaders and tools capable of stealing crypto wallet credentials and browser cookies.  What starts as a fake gift card offer can end with a lot more than your Steam library at risk.

What can happen if you click the link? Malware could quietly copy valuable information off your device and send it back to criminals. We’re talking saved passwords, browser cookies (which can keep you logged into your accounts), autofill data, cryptocurrency wallet details, sensitive files, and system information. Depending on what’s stored on the infected device, the consequences can range from financial damage to identity theft. Yikes!

The broader pattern here is worth understanding. Discord has become a primary distribution channel for phishing attacks because scammers take advantage of the platform’s casual tone, large gaming communities, and easy direct messaging.  The environment feels informal and friendly, which works in the attacker’s favor. Younger and newer users tend to be especially vulnerable, but active Discord participants of any experience level are at higher risk simply because they encounter more messages. 

What you can do right now:

• If a Discord friend sends you a link to claim anything free, especially a gift card, reach out to them through a different channel before clicking. A quick text, call or a different app message takes ten seconds and can save you a serious headache.
• Always hover over links before clicking to check the actual destination URL; shortened links like is.gd or u.to are a particular red flag because they obscure where you’re actually going.
• If a friend’s account appears to have been compromised, report it to Discord directly through their support portal, and let your mutual contacts know to be cautious.
• Enable two-factor authentication on both your Discord and Steam accounts if you haven’t already. And if you clicked something and now you’re not sure, change your passwords immediately and run a malware scan.

Don’t use Discord? Surprise, your kids probably do. Sit down and talk to them about this scam, unless you want your home network to possibly be compromised. Interested in a cyber awareness talk for your school? Let me know! Happy to come out and talk about cyber awareness with kids.

Steam will never DM you a free gift card. Neither will your friend, unless they tell you about it first through some other way. When in doubt, don’t click, and save yourself some headaches and time.

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.