Pretty easier solution, add steam authentication on your phone and make sure your email password is not the same as the steams password and uh, make a pin code?
you still didn't understand, if they have bot, that is made with brain, it's almost impossible to know, unless you check the site address and the code requester country. let me explain how it happens.
1.You put your credentials and press log-in button on the fake site
2.Bot tries to log-in with these credentials to real STEAM site
3.the 2 step triggers STEAM to send code, and the bot can detect if you are using phone or email verification
4.Site displays verification process, that depends how your account is protected by phone or email like I said.
5.Now you send your verification code to the site.
6.Bot log-ins to your account.
And that's why a PIN code on everything does exist