Skip to content

Instantly share code, notes, and snippets.

@linuswillner

linuswillner/tcd-psa-upwork-scams.md

Created July 18, 2020 14:12
Show Gist options
  • Save linuswillner/dd0d67ca85ad89ced607d5686d0f2997 to your computer and use it in GitHub Desktop.
Save linuswillner/dd0d67ca85ad89ced607d5686d0f2997 to your computer and use it in GitHub Desktop.
Download ZIP
Public service announcement from The Coding Den staff regarding Upwork account sharing scams on Discord
Raw
tcd-psa-upwork-scams.md

Public service announcement from The Coding Den staff regarding Upwork account sharing scams on Discord

Recently, we, members of staff in The Coding Den, have seen an upsurge in scamming attempts surrounding the freelancing platform Upwork. We want to issue this public service announcement with the intent of reaching as many people as possible, in order to help people stay safe and safeguarding them from potentially losing access to their accounts, or worse, becoming victims of identity theft.

The scammers seem to mainly be targeting programming communities in our experience, but we are not ruling out the possibility that they are targeting other types of communities too. This public service announcement represents what we have seen, and accordingly may use technical terminology for exemplification that may be beyond the comprehension of certain audiences. However, the general theme of the scams should be easy to digest regardless, and this announcement has been written with that in mind.

We have observed malicious actors attempting to trap community members in what superficially appears to be account sharing, offering a commission fee for all the money they make through the account one would give them access to.

Upwork prohibits account sharing, which already makes participating in or abetting this kind of behaviour illegal per the platform’s terms of service (And, in the case of our community, against community rules). However, there are further dangers in allowing third-party access to your account. For example:

  • There are no guarantees that the scammer will not plainly overtake your account and repurpose it for their own use, with or without attributing it to themselves.
  • If the latter above mentioned outcome comes to be, the scammer is able to commit identity theft and potentially further scam people in your name, leading to potential legal repercussions against yourself if a fraud victim gets the authorities involved.
  • Furthermore, there are no guarantees that the scammer will give you any money, or that the amount of money they give is in fact the claimed share of the income.

Fortunately, the patterns employed by these scammers are often predictable. Below is a fictional conversation between the victim (V) and the scammer (S). While fictional, this conversation has been sampled based on real occurrences of this scam. There are also notes attached in greyed-out font above each line. Words in [brackets] are placeholders, indicating a commonly occurring element that is too variable to absolutely lock down as a common thread..

# Initially benign introduction. In our experience, most scammers tend to ease their way into the conversation before they start deploying the payload of the scam. Exceptions may apply.
S: Hello, how are you?
V: Hi, I'm very well, thanks for asking. What about you?
# Scammer introduces themselves, under a potential fake moniker or none at all. In our investigation, we have noted scammers claiming to be from China, although other countries including Canada have been spotted too. In the case where the scammer claims to come from China, the messages are usually written in somewhat poor English. This aspect will not be reflected here in the interest of preserving legibility, despite it being a sign to look out for.
S: Quite alright. This is [name], I'm from [country].
V: Ah, I see.
# Usually small talk at this point. Side note: Scammers tends to ask what programming languages and frameworks the victim knows, but are not actually interested in what the victim answers to their questions. Thus, even when given completely nonsensical replies, they will simply express vague non-committal agreement.
S: What programming languages do you know?
V: I mostly work with HTML/CSS/JavaScript, but I have also used Go.
S: Great, what frameworks have you used?
V: React and Vue for the most part.
# As mentioned above, one could give completely nonsensical answers like QBasic on Rails and Contiki here, but the scammer would still react with the same non-committal positive reinforcement.
S: Cool!
# Payload deployment begins.
S: Do you know Upwork?
V: Heard of it, it's a freelancing site, right?
# Scammer deploys an emotionally appealing excuse in order to get the victim hooked. The excuse used here is by no means common, but fulfills the mentioned criteria.
S: Yeah. I was a top rated developer there, but I got banned.
V: Oh, why?
S: My client asked to work outside of Upwork because of a payment dispute. Upwork detected this and blocked both our accounts.
V: I see...
S: Sadly, Upwork disallows duplicate accounts, so now there is no way for me to create a new account there.
# Side note: Attempting to steer the conversation in a different direction at this point seems to usually fail. Scammers seem to be so intent on getting the victim hooked on the scam that they are willing to make a stiff and awkward jolt in the conversation to prevent the discussion from steering away from the direction they want it to go.
S: It would be great if you could help me continue my work there. If you let me use your Upwork account, you will receive [commission]% of the income I make with it. By sharing the account, I can also help you become a top rated developer there.
# Attempting to politely decline the offer here tends to lead the scammer to continue attempting the pushing of the scam onto the victim or others.
V: Thanks for the offer, but that is not how the system is supposed to work. I cannot let you use my account in my name.
S: Oh, the system can totally work like this. You get to manage the account, we would just be cooperating, and you still own the account.
S: If you don't want to share, you could always redirect me to someone who would. Do you know anyone?

The scammer may continue deploying further reassurances after this point even if contested. At this stage, the correct course of action is to disengage the conversation, take a screen capture and note down the message link of the message where the scammer asked to share accounts. When you have gathered the evidence, contact staff in servers you share with the scammer, if any, and present this evidence to them to get the scammer removed from said communities. Additionally, you should report the scammer to Discord Trust & Safety via the Submit a request form under the Scams, fraud, or illegal sales category.

Stay safe out there!

Regards, The Coding Den staff

@nnnolan
Copy link

nnnolan commented Oct 24, 2022

Still relevant today, just got an email like this. Thanks for this !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment