Beware for this new Scam?

[xshay99]

It seems like there's a new scam-bot going around. I did scan the QR code, and after that it asks you to verify your bank details, didn't do that obviously. So please be cautious, especially as a new seller. 

[Lena]

Hi @xshay99

Yes, it is a phishing scheme that has been going around. Our dedicated team is aware of it and is working on it. 

Thank you for raising this issue. 

[yonixer]

1 hour ago, Lena said:

Hi @xshay99

Yes, it is a phishing scheme that has been going around. Our dedicated team is aware of it and is working on it. 

Thank you for raising this issue. 

 @Lena the ticket you opened of me got solved without any answer

[lalitsdmittal]

Haha, these new Kids....

[Guest kubracorl]

Fiverr Security Breach

 

Hello,

I'd like to share an unfortunate incident that happened to me as a new freelancer on Fiverr.

Right after completing my Fiverr registration, I received a "Welcome" message from a user named "Fiverr Support @ techbot01353" (message details below). The user claimed to be from Fiverr and asked me to perform certain actions for security verification. When I followed their instructions, all the money in my bank account was withdrawn.

While these amounts may seem small to people living abroad, the exchange rate in Turkey is very high, and to put it in perspective, it's like losing $9,000 from your account. As you can understand, I'm now left without any money.

I informed Fiverr's support team about the situation and am waiting for their assistance. This is clearly a security breach on their part, and they didn't even warn me about such scams. To be honest, I'm considering filing a complaint if the Fiverr team doesn't compensate for my loss. It's not our responsibility to find solutions against spam messages, it's theirs.

 

[uk1000]

It's a security problem if Fiverr allow any Fiverr users to call themselves "Fiverr Support" in their display name. Maybe that's a new problem that only happened because they quite recently added the "display name" field to profiles. So they could prevent that. They could also check any new usernames or display names that start with "Fiverr" so that only real Fiverr staff can have those. They could also do image analysis of the profile image to make sure no one other than Fiverr can use their logo. In fact that are lots of phishing attempts from usernames like that. Fiverr could put a check on those usernames that automatically flagged them for a manual check and didn't allow them to do anything on site until approved.

It probably wasn't because you just completed your registration that you got the phishing message. eg. if you just joined Fiverr and completed the registration, as long as your browser wasn't compromised no one else should know (unless you joined the forum etc or unless they're checking sitemap type stuff or doing a seller search on the site (but for that they'd need part of the username)- but maybe it would require a gig first). It would have been after you created the new gig that they most likely noticed as your new gig would have appeared in the "new arrivals" sort on the site.

It does say to "keep payments and communication within Fiverr" and scanning the barcode could have sent you to any website.

You could tag one of the staff members if you want them to reply to your post here.

Edited March 11 by uk1000

[katakatica]

39 minutes ago, uk1000 said:

It's a security problem if Fiverr allow any Fiverr users to call themselves "Fiverr Support" in their display name. Maybe that's a new problem that only happened because they quite recently added the "display name" field to profiles. So they could prevent that. They could also check any new usernames or display names that start with "Fiverr" so that only real Fiverr staff can have those. They could also do image analysis of the profile image to make sure no one other than Fiverr can use their logo. In fact that are lots of phishing attempts from usernames like that. Fiverr could put a check on those usernames that automatically flagged them for a manual check and didn't allow them to do anything on site until approved.

It probably wasn't because you just completed your registration that you got the phishing message. eg. if you just joined Fiverr and completed the registration, as long as your browser wasn't compromised no one else should know (unless you joined the forum etc or unless they're checking sitemap type stuff or doing a seller search on the site (but for that they'd need part of the username)- but maybe it would require a gig first). It would have been after you created the new gig that they most likely noticed as your new gig would have appeared in the "new arrivals" sort on the site.

It does say to "keep payments and communication within Fiverr" and scanning the barcode could have sent you to any website.

You could tag one of the staff members if you want them to reply to your post here.

From what I've seen on here (I got one of these but would never scan it!) the scanned site pops up as Fiverr (with a small change to the URL). While it's noticeable to us, it can easily fool newcomers who haven't been around for long. 

That being said based on the screenshot the fake support chat they have does use very broken English (which... can be an indication of issues but again might not be picked up by some people.ĺ

This is a particularly nasty scam and I really hope something will be done about it. As you said, as long as someone is able to pose as Fiverr  (which the telegram scammers have tried as well) it's kind of a Fiverr issue. 

[zerlina84]

These QR scams and fake Support messages have invaded Fiverr, Etsy and Vinted.

It’s absolutely embarrassing that these million dollar companies haven’t put a stop to it.

I’m also completely sick of those annoying scam telegram messages with the stupid fonts.

There is no excuse. They use AI for everything, how is AI not being used to protect us from HUGELY KNOWN scams?

This is basic anti fraud protection/cybersecurity. I wish they would focus more on protecting people against scams (and thus making Fiverr a better place) instead of coming up with 1000 ideas to force everyone to have less than 5 stars.

[visualstudios]

I agree that Fiverr should have better systems in place. However...

Being a freelancer is running your own business. If you fall for obvious scams, at a certain point it's darwinism. If you can't avoid this type of scam, your ability to do professional work in certain fields kind of comes into question, common sense is a must for nearly everything.

[uk1000]

1 hour ago, visualstudios said:

If you can't avoid this type of scam, your ability to do professional work in certain fields kind of comes into question

For new users who don't know as much about how Fiverr works who get a message from "Fiverr support" (display name), with Fiverr's logo on things very soon after creating their first gig it won't be as easy for them to know if it's fake compared to someone who has been on Fiverr for a lot longer and knows how it all works and what to check.

Maybe Fiverr could have warnings for people who sign up and maybe others to give them things to look out for for spotting phishing on Fiverr  (as well as they could alter their systems to make it less likely to happen again).

Edited March 12 by uk1000

[Guest kubracorl]

18 hours ago, uk1000 said:

It's a security problem if Fiverr allow any Fiverr users to call themselves "Fiverr Support" in their display name. Maybe that's a new problem that only happened because they quite recently added the "display name" field to profiles. So they could prevent that. They could also check any new usernames or display names that start with "Fiverr" so that only real Fiverr staff can have those. They could also do image analysis of the profile image to make sure no one other than Fiverr can use their logo. In fact that are lots of phishing attempts from usernames like that. Fiverr could put a check on those usernames that automatically flagged them for a manual check and didn't allow them to do anything on site until approved.

It probably wasn't because you just completed your registration that you got the phishing message. eg. if you just joined Fiverr and completed the registration, as long as your browser wasn't compromised no one else should know (unless you joined the forum etc or unless they're checking sitemap type stuff or doing a seller search on the site (but for that they'd need part of the username)- but maybe it would require a gig first). It would have been after you created the new gig that they most likely noticed as your new gig would have appeared in the "new arrivals" sort on the site.

It does say to "keep payments and communication within Fiverr" and scanning the barcode could have sent you to any website.

You could tag one of the staff members if you want them to reply to your post here.

I completely agree with you. Since I'm a relatively new freelancer, I thought the message was actually from Fiverr and assumed they were asking for money for membership or security. However, I was scammed within minutes. As I mentioned above, the dollar exchange rate is very high in my country. 1 dollar is equal to 30 TL, and I paid around 400 dollars. The Fiverr support team has not yet responded to this issue. I expect them to get back to me urgently, otherwise I will take legal action regarding security vulnerabilities. @Lena

[catwriter]

@milos_siena, @ana_tomy, @Kesha, it looks like @Lena isn't available, can someone help with this matter, please?

And this one, too, if possible? I understand that CS is super-busy these days, but people having their money stolen by fake Fiverr support can't be good for Fiverr.

https://community.fiverr.com/forums/topic/326178-money-stolen/

[Kesha]

Hi! Thank you for bringing this to our attention. I am sorry to hear that this happened to you. Though I am unable to address account-specific issues like this, I have elevated this issue to the appropriate departments and CS will get back to you shortly.

 

[Guest kubracorl]

Here's the response I got from Fiverr support! Is "sorry" all they have to say? I don't think these people understand how much money I lost. I lost almost half of my monthly income. I was never warned by Fiverr and it's their fault. I should have been warned beforehand if there were security vulnerabilities. How was I supposed to know that there were fraudulent accounts on Fiverr? This is not normal! Can everyone please show their support on this issue? @uk1000 @catwriter @zerlina84 @Lena @Kesha @katakatica 

[zerlina84]

@kubracorl I’m not surprised they won’t help you because it was indeed an outside scammer. But Fiverr should at THE VERY LEAST have a pop up for new users alerting them to these scams, just like my homebanking website does, for example.

I’m very sorry this has happened to you. Can’t you talk to your bank and tell them you were a victim of fraud and tell them you had all these unauthorized debits? Banks have a few rules about these things, but you might get lucky if they understand it was in fact fraud.

[catwriter]

1 minute ago, zerlina84 said:

Can’t you talk to your bank and tell them you were a victim of fraud and tell them you had all these unauthorized debits?

I second this, and it's what Fiver's customer support (the real one) suggested, as well.

A bank might be able to reverse those payments.

[Guest kubracorl]

3 minutes ago, zerlina84 said:

@kubracorl I’m not surprised they won’t help you because it was indeed an outside scammer. But Fiverr should at THE VERY LEAST have a pop up for new users alerting them to these scams, just like my homebanking website does, for example.

I’m very sorry this has happened to you. Can’t you talk to your bank and tell them you were a victim of fraud and tell them you had all these unauthorized debits? Banks have a few rules about these things, but you might get lucky if they understand it was in fact fraud.

Thank you, I submitted a request to the bank. They said it's under review, but unfortunately, like Fiverr, they will probably say it's not their responsibility and dismiss me. I at least thought Fiverr would take responsibility. Unfortunately, I will have to complain if they don't. 😞

[catwriter]

2 minutes ago, kubracorl said:

Unfortunately, I will have to complain if they don't. 😞

Something to keep in mind: over the years, I've seen a lot of people threaten to sue Fiverr, for one reason or another. I have never seen anything come out of it.

[katakatica]

I think the tricky part is that Fiverr technically does warn us about screening links (I think) and files in the TOS and about communicating outside of the platform. It's clearly not enough but it's kind of there. However, when a scam like this runs this rampant (and they are able to use the site's name) it is kind of... a them issue as well. 

I feel like people are fooled easily partially because they expect to link their cards to the site - how else would we get paid? (I know bank accounts and card details are different but still...)

In the end..  I just hope something is done about this because of not, it's going to further harm the people (and eventually the platform.)

 

[uk1000]

42 minutes ago, katakatica said:

I think the tricky part is that Fiverr technically does warn us about screening links (I think) and files in the TOS and about communicating outside of the platform.

In the "handling orders" section of the TOS https://www.fiverr.com/legal-portal/legal-terms/terms-of-service it says:

Quote

Users are responsible for scanning all transferred files for viruses and malware. Fiverr will not be held responsible for any damages which might occur due to site usage, use of content or files transferred.

Though the phishing/fraud wasn't in an order.

It does say:

Quote

* Fiverr does not provide protection for users who interact outside of the Fiverr platform.

* All information and file exchanges must be performed exclusively on Fiverr's platform.

but the intial messages took place on Fiverr and it seemed to them that clicking the QR code was part of Fiverr's system (even though it wasn't), and they most likely thought the fiverr.othersite.com was actually Fiverr.

There's the page about safety but it gives similar info as above:

https://help.fiverr.com/hc/en-us/articles/360011175377-Fiverr-seller-safety-best-practices

Quote

Keep transactions on Fiverr.Com

Buyers who want you to provide services outside of Fiverr.com are not only violating our Terms of Service, they’re subjecting you to potential fraud.

 

We are only able to protect you as long as you conduct your transaction on the Fiverr platform.

It's not giving info on what they should avoid to prevent getting scammed by these Fiverr inbox messages and phishing.

Edited March 12 by uk1000

[webcut]

That is a scammer. But  Fiverr should have better systems to protect from scamming.

[creativecolumn]

Sorry for hear that. To be honest, Fiverr will not provide a compensation because the transaction was not occurred within the Fiverr's payment gateway. Your account may also get blocked because you used external platform for payments (it wasn't intentional, I know).

 

The best thing is reversing the payment through your bank. If you paid from Visa, or Mastercard, you can reverse a payment within maximum of two weeks (same for other card companies, I assume). Immediately contact your bank and take necessary actions to reverse the payment.

[rawque_gulia]

6 hours ago, kubracorl said:

Fiverr would take responsibility

They can only release new features (using AI algorithm) overnight for sellers, but for buyers, nah! They're not going to do anything. Is it that hard to use AI and reverse search images that are using the Fiverr official logo? My newbie friend (a web developer) can do it in hardly an hour by writing a few lines of code. The same goes for display name. Is it too hard for staff members to search 'Fiverr' in their database and terminate all accounts? C'mon man, it's just a normal search in database and it will just give you all accounts (and don't tell me that a billion dollar company's database has no search filters, lmao!)

When it comes to sellers, they don't even think once and terminate accounts (without even stating actual reasons) and no warning or whatsoever, whether it's a new seller, a Pro, or a TRS seller. But for buyers, they can't integrate a line of code (that too with AI algorithm) even when they're aware that this scam has been going on their platform for a long time now (it's been more than 2-3 months since I've been hearing about this scam on forums).

To Fiverr: We understand that it's a seller's responsibility to avoid clicking on links. However, what are you taking 20% from us for? To maintain your platform, isn't it? And are you able to maintain it? Even knowing the exact problem and even the solution, are you taking any steps?

[catwriter]

3 hours ago, rawque_gulia said:

Is it that hard to use AI and reverse search images that are using the Fiverr official logo?

It shouldn't be difficult. Especially since nobody but Fiverr is supposed to use Fiverr's logo (and that includes gig images, not just profile pictures). I mean, that AI would help a lot to weed out all sorts of scammers (including sellers who use Fiverr's logo in their images or profile pictures).

[priyank_mod]

10 hours ago, zerlina84 said:

Can’t you talk to your bank and tell them you were a victim of fraud and tell them you had all these unauthorized debits? Banks have a few rules about these things, but you might get lucky if they understand it was in fact fraud.

Banks usually shrug off the responsibility if user has provided the transaction password/card details/sms verification code themselves to the scammer.