Reviewing the Reviewers: Separating Genuine Key Requests from Scammers
A guest article by Yassar Lutfan
If you’re a game developer and your game has seen some success, first of all, congratulations! In this day and age that’s something many games crave; they’re usually releasing into the void, never to be played. However, as your player base expands you may notice your business email gradually filling with requests for review keys. This isn’t a bad thing, but unfortunately the internet isn’t a nice place. Oftentimes, these key requests will come from scammers, who will sell your review keys on gray markets.
If you’re here, you’re probably wondering how to weed out genuine reviewers with interest in your game from people who want to abuse the system. I won’t waste any more of your time, here’s the cliffnotes.
Section 1: Checking Legitimacy
This might sound obvious, but it’s an important step to take. I’ll separate common tactics based on the way the reviewer reached out to you.
An extremely common form of contact, usually the default method. Here’s a comprehensive set of steps to make sure you stay safe. (Most of these are general internet safety tips. Use these even when you’re not working!)
Things to keep in mind before searching through e-mails.
Be wary: Until you can trust that the e-mail comes from a legitimate source, DO NOT CLICK ANY LINKS, DO NOT DOWNLOAD ANY ATTACHMENTS, AND DO NOT REPLY TO THAT E-MAIL. Links could lead to phishing websites, attachments could contain viruses/malware, and replying might put you on a list of people receptive to spam email.
Be alert: If you’ve spent the entire day working, or are drained, I would advise waiting to respond to e-mails until you’ve had some rest and are more alert. Genuine reviewers can wait on keys for a while, so there’s no reason to need to respond immediately.
Now that you’re ready to start, first we need to establish trust.
Verify that the reviewer exists: Look up the username or channel name of the reviewer. If it actually exists, you can move on. For this step only, it’s also fine if the reviewer doesn’t show up in search results, but that’s a red flag.
Verify that the reviewer is still active: Look at the reviewer’s recent activity. If they haven’t posted in an unusually long time (compared to their previous content), it’s more than likely that the e-mailer is impersonating the reviewer. If this is the case, do not respond to the e-mail.
Verify that the e-mail address is legitimate: Use a string comparison tool like text-compare to verify the address. Compare it to the e-mail address associated with the reviewer. Generally, reviewers will have their contact e-mail available on their review page/channel. DO NOT SIMPLY COMPARE THE ADDRESSES BY HAND, USE A TOOL. Nowadays, there’s a phishing attack where someone can impersonate a web domain using identical-looking characters. This is called an IDN homograph attack. Don’t believe me? Try comparing the following two e-mails.
test@example.com
test@exаmple.com
Verify that the e-mail isn’t trying to fleece you: If the reviewer is asking for multiple keys for multiple reviewers, just refuse. Most (if not all) reviewer/curator groups will need at most one key because they have a shared review account. That’s the standard industry practice. (However, if they’re asking for keys to do a giveaway instead, or if the account is one that you personally trust after doing all these steps, then feel free to agree at your own discretion.)
Once you have completed the above steps, you have established trust that the e-mail comes from a legitimate source. You can now move on to Section 2.
Message on SNS
Sometimes, reviewers might reach out using Private Messages or @mentions on SNS! Take the following steps to ensure you’re talking to the right person.
Verify expected popularity from associated media: Does the reviewer have a YouTube channel? A blog? Or some other SNS? Try and investigate, looking for related media. Get a grasp of the reviewer’s general popularity and compare it to the account. If it seems unreasonably low given the reviewer’s viewership, there’s a possibility that it’s an impersonation. Proceed with caution.
Verify expected activity from associated media: Viewbotting is a thing. Please be careful that the account actually attracts interest and is not simply buying views. The signs of this are listed below. If the account is unexpectedly silent given its view count, that’s a red flag.
Unusually high number of likes and followers with zero comments
If there are comments, they are from suspicious looking accounts e.g. accounts that look like they are from Bangladesh, Russia, Italy, places where English would not be the common language
Verify associated media links back to this account: Self-explanatory. While you’re looking at the reviewer’s other channels, check if they link back to this account. They should. If they don’t, that’s a red flag.
Verify that the reviewer is still active: While you’re checking the above, also take a mental note of the reviewer’s activity. If they haven’t released new content in a while, it may be an impersonation. (Or their account got hacked.)
Once you have completed the above steps, you have established trust that the e-mail comes from a legitimate source. You can now move on to Section 2.
Steam Curator Connect
Did you know Steam has a trusted method to contact Steam Curators directly? If you didn’t, I’ll point out that for trusted Steam Curators, it’s worth using. This is one of the few surefire methods that guarantees no scams or spam. If a Steam Curator reaches out to you, and you trust their content, respond back using Curator Connect!
You can find more details here: Steam Curators Documentation.
Section 2: Checking Quality
Now that you know you’re talking to the right person, it’s the time to ask if giving a key away is worth it. One minute of diligence can improve your relationship with reviewers, so pay attention!
Verify the reviewer actually does any sort of reviews: Have a look at the image below. I’m sure you understand why I point this out.
If you look and see this with no further info, review content, etc. Just don’t.
Read a review!: If you managed to make it to this point, it’s very likely that the reviewer is genuinely interested in your game. Now, it’s up to you! Do you like their style? Do you think you want more eyes on the game? If so, send them a key!
I know it sounds like a lot of work, but with experience and practice, these precautions won’t take up too much of your time while simultaneously making you just a bit safer on the internet. If that’s what you’re here for, feel free to tune out now. Thanks for reading, and good luck with game development!
But for the rest of you, here’s some further reading.
Bonus: Why should I care?
Let’s sidestep the obvious answer: Because that’s one less game sale.
Beyond that, there are other much more important reasons that you should try your best to safeguard yourself against these kinds of contacts.
Firstly, if you fall for one, it’s likely that the impersonatee/spammer is connected with a group of other malicious users. Expect to receive several contacts that also lead to the same result, leading to wasted time on your part. The more of these contacts you fall for, the more sales are removed from your pocket.
Secondly, these keys will end up on gray market websites. I won’t name any here, but I’m sure with just a bit of sleuthing, you’ll find what I mean. These websites aren’t like other key sale sites like Fanatical or greenmangaming - these keys are usually stolen from the developers, or snatched from spam contacts like the ones we just discussed. Sales on these markets won’t return any of the profits to you, or your associated publisher (if any). Please take care that you don’t end up like the unfortunate souls there.
Thank you to Yassar Lutfan for contributing this article.
