Never ever click on any links whatsoever, including any "sign in via your Steam account" links or images.
That's the one rule that people who fell for phishing scams forgot to follow for whatever reason (lack of proper knowledge, too much trust in Steam friends, absent mindedness). Be smarter.

Remember this: Any link that takes you outside of Steam = possible scam.

It doesn't matter who sent them, a trusted friend or a new one.
It doesn't matter what the link is for.

Here's some possible scenarios that scammers will throw at you and how to deal with each:

• free games?
  No, thanks. Lots of those on Steam
  
• free s k i n s?
  No, thanks. Just send me the code and I'll redeem it ingame later.
  
• free market items?
  LOL because people who cannot even afford to pay and play paid games are now giving away their valuable items for free! Makes total sense! /s
  
• a chance to win a trip to Mars?
  I'm quite comfy here on Earth, thanks.
  
• help me vote for my logo/drawing/whatever?
  If you have enough talent and your logo/drawing/whatever is good enough, people will vote for it anyway without you sending shady links.

Just because someone is on our Friends' List does NOT mean they are our friend.
 - Volcanic, July 2023

Even people you've trusted and talked to for years on Steam might've recently lost access to their account, and now the person talking to you is NOT them. 

The only way to stay safe and not fall for any phishing scams on Steam is to refuse to click on any links sent to you via chat or basically anywhere on Steam, whether it's the discussion forums, group ones or in the game hubs.

This goes double for chats whose sole purpose is to ask you to vote for this or that. Flat out say No.

I'm providing an example of a real scam attempt I personally experienced very recently. For the record, this conversation took place on July 24, 2023.



As soon as the scammer read my last sentence, they immediately removed me from their FL.
That is a 100% red flag that whoever is talking to you isn't the real, legitimate owner of the account and actually a scammer.

***Edit on August 4: Because the image contained the name of the hacked account / scammer, people reported it, resulting in Steam taking down the whole guide!
It took between 9 and 12 hours and a lot of back and forth with Steam Support till I managed to convince them to restore this guide. Phew!
I will reupload a modified one later, hiding the name to avoid triggering Steam's ban policy.
This will be sorted within a day or so.
++Done++ ***

If you feel confident, 

1. Reply with "Sure, where's the link?" 
   
   to the infamous question
   " aight just wanna ask maybe you can vote for my work in the logo contest? "
   
   The purpose of you saying a fake Sure is to get the scammer to send their shady link in chat as proof against them - WITHOUT you clicking on it.
   
   
2. Immediately take a screenshot of this phishing scam 
   
   
3. Block this person 
   
   Right-click on the person's name in chat >
   Choose Manage >
   Choose Block all communication
   
   
   
4. Upload your screenshot 
   
   
   • You can use Steam Artwork from your profile actually to upload it to stay 100% safe and within the Steam ecosystem.
     
   • You don't need an account on a different website. If for whatever reason you don't want to use Steam Artwork, just pick an image website you're familiar and/or comfortable with and upload the screenshot there. Copy the link to use later.
     
   • There are a lot of famous, trusted websites that allow you to upload an image for free and, more importantly, without you needing to create an account there.
   
   
   
5. Report the scammer's account, providing as proof the screenshot you just took and uploaded. Here's how:
   
   a) Go to the compromised account
   The fastest way is to right-click on their name in chat and choose View profile.
   
   
   b) Click on the drop-down menu on the right and choose
   Report player >
   Notice how even if the account is completely set to private, Steam still allows you to report it as shown above.
   
   Choose
   They are involved in theft, scamming, fraud or other malicious activity
   
   
   Choose
   They are trying to steal my account or information
   
   
   
   Choose
   Submit this account for review
   
   
   
   In the box that pops up, provide as many relevant details as possible.
   Remember to paste the link to the screenshot you took.
   Hit Submit Report.
   
   
   
   For what it's worth, mass reports get things going faster.
   
   Disclaimer: Use this only if you were personally approached by a scammer in chat or elsewhere on Steam. Do NOT report people based on false accusations.

Some accounts that have been compromised come back less than 48 hours later, claiming that the malicious party has been booted and the account is now clean.

Now this is something you need to verify before you trust that account again. I strongly suggest implementing a verification procedure to be conducted each time an account is compromised and then claims a few days later "Hey, it's me!"

Think about it. 
Initially there was only a single account that was taken from its owner.

Because we as a group failed to react to that and didn't verify that it's been truly returned to its legitimate owner, the hacker used that account -- with the once-trusted group stamp on it -- to beguile others from the group to
a) send them a friend request - that they accepted.
b) ask the unsuspecting users to click on shady links - which unfortunately they did.

Till this day, we do NOT know for sure whether a certain account that was initially stolen from a group member -which I won't name out loud- has been truly returned to its original owner.

So I suggest people who have been friends with the owner of a compromised account to find their own ways to confirm that yes, indeed, the account is now back with its owner and it's safe to interact with them again.

A general-purpose verification procedure would be counter-productive so I won't list steps.
If you announce yours in public, the scammers will just have open access to your playbook and come up with counter-measures.

For all we know, this is being read by at least one scammer via a compromised account if not more. 
________________________________________________________________

Note that in Step 3 of the previous section "Fight back", the person will still be on your Friends List, but they will lose the ability to communicate with you unless you allow them.

Why not remove them immediately?
Well, I block them to immediately cut off any communication; thus neutralizing any potential threat to my account's safety.
I wait a few days to see if the account is restored to its owner. However, this is very difficult to confirm for Steam users who have people on their list that aren't real-life friends. So within a few days, I end up removing this compromised account from my Friends List all together in addition to already having them blocked.

In all 3 out of 3 times that I've witnessed an account get taken, I've not been able to confirm that it's been returned to its original owner later.
Each time it was an acquaintance that was added to my Friends List from a shared group, i.e. not someone I know personally and can contact via other means of communication to make sure it's them. So blocking and removal from the Friends List is what they get and the safest course of action if you receive these scam messages, even from a 'friend'.

This extensive article from Steam support has essential steps for you to take to ensure that your account remains secure.
https://steamhost.cn/help_steampowered_com/en/faqs/view/6639-EB3C-EC79-FF60

I strongly recommend you go through each and every step so that your account remains yours.

Because this is absolutely vital, I am copying verbatim Steam's official recommendations below regarding two of the most important things you need to do.

Steam Guard is an additional level of security that can be applied to your Steam account. When Steam Guard is enabled on your account, anyone attempting to login to your Steam account from an unrecognized computer must provide additional authorization. A special access code will be sent to your contact email address, and this code must be entered into Steam before your login is complete. Steam Guard security is also available through the Steam app on your smartphone, by using the Steam Guard Mobile Authenticator.

Steam Guard: How to set up a Steam Guard Mobile Authenticator



Verifying your email address with Steam improves the security of your Steam account. Once you've verified your email address with Steam, both your Steam Account password and access to your email account are required in order to make any changes to your Steam Account credentials, such as your password and contact email address. This helps further protect your Steam Account from being stolen.

How to verify your contact email address with Steam.

Here are some extra steps you can take to minimize your exposure to phishing links and scammers:

1. Set the privacy of your inventory to Friend's Only or Private.
   
   
   • Scammers don't care about your games, simply because they cannot sell them.
     
   • What they are after are your Inventory items, to sell them and then turn that Steam credit into real-life money through different websites.
     
   • A scammer / online thief cannot target what they cannot see.
     
   • Hiding your inventory items from public view makes you less of a target.
   
   
   
2. Make commenting on your Steam profile wall available for Friends only.
   
   
   • That way, anyone who wishes to contact you must send you a Friend Request first.
     
   • When they do, that will be your chance to vet this person. If you feel the slightest bit uneasy about their profile for whatever reason, Ignore their request.
     
   • If they keep sending more FRs, simply block them. No more headaches.
   
   
   
3. Be very careful when dealing with low-level profiles (level 2, 3, 4, 5, up to 10 even)
   
   Why? Because anyone can create a new account for themselves on Steam and
   start playing a free-to-play game (like CSGO),
   spend $5 in the store to make their account not limited
   and sell the items they win ingame on the Market to generate Steam wallet credit,
   with which they buy more games, profile items and make their profile 'look legit'.
   
   These are usually called alt (alternative) accounts, and it seems that a Steam user can have virtually an unlimited number of alt accounts.
   The problem here isn't the extra accounts; it's that some people use their alt accounts to do what they wouldn't dare with their main account. This ranges from being annoying in discussion forums to outright trolling and the big one: scamming other Steam users, all hidden behind the mask of an alt account.
   
   The telltale signs of an alt account are
   1. a very low Steam profile level
   
   2. one or two F2P games (like CSGO, TF2, DOTA 2) that they have either hundreds or thousands of hours in.
   
   
   3. only a few other games owned, mostly that were given for free at some point (like ARK, Little Nightmares, Metro Last Light).
   
   4. very little activity on any game other than the F2P ones.
   
   5. only one or two Perfect Games, which usually take less than one hour to complete and belong to the VN or walking simulator genres (aka minimal effort).
   
   Edit on August 18 to add this point and screenshots from an alt account/cheater who sent me a friend request:
   
   6. lots of Perfect Games but with very little played time, which is proof that they used a cheat program / an achievement unlocker. There's no way someone can get all these achievements in this little amount of time. See this:
   
   
   They do that to appear as a legitimate profile, while in reality the games they actually play are the F2P ones, like CSGO. See point 2 above.
   
   
   When you get a FR from a profile like this^, you know what to do.

[Edited on July 19, 2024, to fix a typo.]

So, what if this actually happens to you?

What if you cannot access your Steam account because your login credentials suddenly don't work anymore?

You go to this official Steam Support article and follow the listed steps to recover your account.

https://steamhost.cn/help_steampowered_com/en/faqs/view/0A94-F308-34A5-1988

I strongly recommend you bookmark this^ Steam page in case you need it later.

There's no need to worry though because here's the good news:

Originally posted by Steam Support:

You can always contact Steam Support for account recovery even if someone has changed the account's email address, password, and phone number.

Source? The Steam Support article above!

The only thing you do actually need to worry about and prepare is Providing Proof of Ownership.
The following Steam Support article covers this extensively as well: https://steamhost.cn/help_steampowered_com/en/faqs/view/40A0-8B4B-B54B-C51A
~~~

Stay safe and prosper!