Some time ago, I posted this Twitter thread about how to detect fake Steam key requests for game developers:
https://twitter.com/mrhelmut/status/1521829408209788929
Following this thread, I read mixed reactions. Developers, publishers and PR agencies saluted it, while reviewers raised concerns about the technique in fear of being filtered out as scam (which happens, some occurrences in the gif are false positives).
I thought about providing more context and more in-depth explanations about what is the reality of developers and PR agencies, and how everybody can improve on that.
Whenever a game comes out (or when it gets visibility slots on Steam, like a sale) its developers will get a huge wave of key requests from press, curators, streamers, and alike. Which is great! Or is it?
The reality, is that more than 95% of them are scam attempts (based on my own manual verifications and contacting scammers). It often is from people trying to make a profit by reselling the keys on gray markets such as G2A or Kinguin, but it also is from people who have a compulsive need to collect all the games on Steam. While the latter is mostly harmless, the former is contributing to the precarity of developers because keys sold on gray markets (besides not giving any cut to the developers and selling games without distribution authorization) are usually sold much cheaper than Steam, which means less sales and contributing to the ever lower price trends of other legitimate stores. It also means that those missed sales will not help triggering the Steam algorithm to snowball a release (which today is essential).
A few years ago, when the scams started to be a concern within the game industry, the general trend was to not care about it, and most developers simply fulfilled all the requests to be able to count on the legitimate 5% and avoid spending an incredible amount of time on verifying the identity of senders one-by-one. But nowadays, it is much more sensitive. Sending a few hundreds of keys to scammers will harm a release due to the dynamic between gray markets and the need to trigger the Steam algorithm.
So yes, we need to filter those out, and yes, this is penalizing some legitimate requests for reviewers who use the same channels as scammers to contact developers.
But there is a general misconception about the role of Steam in this...
I explained in my Twitter thread that the main vector of scamming attempts is the support page that Steam generates for each games.
https://twitter.com/mrhelmut/status/1521830100156698624
And this where everyone is getting things wrong.
On one hand, developers tend to put a random e-mail address here because they don’t expect to get contacted from here (and that’s right, we very rarely get support requests from there). Most often, they use their main contact address, which means that they can’t identify where people got this address from and often believe that it comes from their presskit (strengthening perceived legitimacy of the requests).
On the other hand, reviewers are using the Steam support site to reach developers with requests. But this means that reviewers purposefully cheat the support form in order to get there (or sometime just use a browser extension to have this address easily findable, and hiding to them the fact this address is meant for support and that the extension bypassed the intended boundary).
The thing is, Steam makes it very clear for both the developers and the reviewers, that the address that you put on Steam, is solely meant for player support, not for contact/press relationship.
The proposed solution was to use a dedicated e-mail address to put on Steam (something like [email protected]) and keeping the all-purpose contact address for presskits and dedicated websites. Voilà.
In the end, it’s all about respecting boundaries and not being intrusive (and considering any intrusiveness as suspicious).