Well, phishing is ok, but if the acct gets reported it can typically be reversed back to the owner within a few days. Sometimes you get lucky and the kid can't do it or doesn't know what to do, so it may take longer or eventually get disabled.
One method is adding a bunch of users from different servers, and using a BS steam looking name, and request user/pass from some automated system.
A method I used for awhile that was decently effective (Only because I didn't do it much) was to give them a link using a real name saying I was a rep from steam and that they needed to verify acct info at a website.