Beware for this new Scam?

[metkatmarketing]

I was scammed today and I am horrified! It says on their website that they will keep your information safe, yet they allow users to join who have their name is the new username. That is completely negligent behavior! Looking through these threads, this has been an ongoing problem for years. I am completely new to this company and I trust that they are doing what they can to protect me. I don’t feel that way at all and I will probably never recommend a marketing freelancer to use this company because of this experience.

[markp]

people really need to use common sense here.

If your account was suspended, you would get an email from Fiverr saying it's suspended. not an inbox message.

how does a bank card verify your account when your account is not created with a bank card? the bank card could belong to anyone. There is no verification here at all.  it's just a phishing attempt.

Regardless of what the user name is, if someone sends you a message asking for your credit card details via your inbox alarm bells should start ringing. Any legit customer support on any platform will not ask for credit card numbers at all. Payments are sent by encrypted means to meet PCI requirements. Not by a  QR code linking to a Mickey Mouse website.

look at the website address. you dont need to be a security consultant to realize it's a Mickey Mouse address. 

[visualstudios]

2 hours ago, metkatmarketing said:

It says on their website that they will keep your information safe, yet they allow users to join who have their name is the new username.

They do keep your information safe. That has nothing to do with what other people can pick as their display name. Those scammers didn't have access to ANY of your information, other than your (public) display name.

You gave them your credit card details, wth where you expecting?

[visualstudios]

1 hour ago, markp said:

people really need to use common sense here.

If your account was suspended, you would get an email from Fiverr saying it's suspended. not an inbox message.

how does a bank card verify your account when your account is not created with a bank card? the bank card could belong to anyone. There is no verification here at all.  it's just a phishing attempt.

Regardless of what the user name is, if someone sends you a message asking for your credit card details via your inbox alarm bells should start ringing. Any legit customer support on any platform will not ask for credit card numbers at all. Payments are sent by encrypted means to meet PCI requirements. Not by a  QR code linking to a Mickey Mouse website.

look at the website address. you dont need to be a security consultant to realize it's a Mickey Mouse address. 

Maybe this is what we actually needed to get rid of all the clueless meksells. People who fall for this have no business being freelancers. It's not personal, it's simply they don't have the skills required. If they don't have the common sense not to fall for this, how can they navigate running a business online and dealing with clients? It's simply not possible.

I mean, it's challenging for me, it takes a lot of work and effort, and I look at these scam attempts like child's play. That people falling for them can make a single $ online puzzles me deeply.

Edited April 29 by visualstudios

[uk1000]

24 minutes ago, visualstudios said:

They do keep your information safe.

by not doing more to block people putting their display name as "Fiverr Support" (when it's happened again today (edit: or maybe 3 days ago, which is still a long time after someone else reported the same display name being used for a scam), when it's already been stated to them that the fraudsters are putting their display name as that), attaching Fiverr logos to their messages and asking new users to "click on" (or scan) QR codes they're not doing the best they can to avoid people getting contacted scammers trying to take their info, and they're not really educating people enough about this in case their systems can't detect those users.

Fiver already scans links, surely an added check could be made to see if it's a url that starts with "fiverr." but goes to a totally different site than Fiverr  (which is probably a scam site so Fiverr's system could flag the message and not show it to other Fiverr users unless checked and accepted by the trust & safety team).

Edited April 29 by uk1000

[markp]

30 minutes ago, uk1000 said:

Fiver already scans links, surely an added check could be made to see if it's a url that starts with "fiverr." but goes to a totally different site than Fiverr  (which is probably a scam site so Fiverr's system could flag the message and not show it to other Fiverr users unless checked and accepted by the trust & safety team).

if you look at what is being sent they are sending it as an image and telling people to take a screenshot and then scan the QR code. Look at the messages above, you can see this. There is nothing for Fiverr to scan.  The only thing Fiverr should do is block every variation on Fiverr as a username

[visualstudios]

3 hours ago, uk1000 said:

y not doing more to block people putting their display name as "Fiverr Support" (when it's happened again today (edit: or maybe 3 days ago, which is still a long time after someone else reported the same display name being used for a scam), when it's already been stated to them that the fraudsters are putting their display name as that), attaching Fiverr logos to their messages and asking new users to "click on" (or scan) QR codes they're not doing the best they can to avoid people getting contacted scammers trying to take their info, and they're not really educating people enough about this in case their systems can't detect those users.

I agree that Fiverr should block all users from using "Fiverr" on their profile names, as well as the fiverr logo for their profile pictures. Obviously.

However, the user I replied to was implying that Fiverr does not keep user's personal information safe, and that's not true. Fiverr does not share or disclose any user information other than the information the user chooses to show (such as profile name, profile picture, etc.), so their assertion is incorrect. 

Fiverr should definitely institute better systems to control scammers, but that's very different from saying "Fiverr doesn't keep your personal information safe". That's not up to Fiverr (unless the platform itself shares that data, which is not the case), that's always up to you. Now, it's true that many internet users have no clue what they're doing, but then maybe they shouldn't be on the internet. You need a driver's license to drive a car. Maybe it's time to start requiring a license to use the internet. The amount of people falling for the most obvious scams is insane. It's not a security problem - it's a literacy / education problem. Fiverr can't fix that.

Edited April 30 by visualstudios

[uk1000]

4 hours ago, visualstudios said:

Fiverr does not share or disclose any user information other than the information the user chooses to show (such as profile name, profile picture, etc.), so their assertion is incorrect. 

They did though for a while when the new profile format got displayed. They shared the "full name" field in the page source, even though it's in the "settings" menu and it doesn't show that that will be in the public part of the profile (above the screen that shows the "full name" and email it says "Need to update your public profile? Go to My Profile) - indicating the "full name" field wouldn't get displayed/accessed publicly (and that for changig what will be shown/accessed publicly you'd need to go to a different place, the "My Profile" page to change them), even though, before I told CS about it, it was).

Fiverr also automatically enabled the option to make seller plus members see your past average purchase info and most frequently bought category. That was enabled for all users without informing them. You had to go to the bottom of the profile page to turn it off. Now there's no way to turn it off (so it's giving out what could be private info with no option to disable it), so all seller plus members you contact will be able to see a user's average purchase info and most frequently bought subcategory without their full knowledge or consent (sellers might be able to guess that that might be shown by the advert for seller plus features, but buyer-only users probably aren't told about it).

Also there's a lot of tracking info on the site that the user doesn't really opt in to. Using Fiverr Neo or when the Grammarly option that was there might be/have been sending info to certain other companies (through APIs). The privacy policy says they send stuff to 3rd parties (we have no Fiverr option over which 3rd parties they send out info to). There's a "do not track" option in some browsers. Fiverr say "We do not honor browser requests not to be tracked online". Why would a company say/do that?

Edited April 30 by uk1000

[emmaki]

It seems Fiverr didn't like my last post, which mentioned GDPR.

Was it because I used ChatGPT and correctly sourced it, then asked ChatGPT about what the fines were for this sort of thing?

EDIT: I'm going to take that immediate approval of this post as a "yes". Thing is, though, I don't remember ever being told by email about this breach that @uk1000 mentioned, which is in itself a breach of GDPR.

Fiverr - this isn't about "transparency" in the marketing sense of the word where it can mean whatever you want it to, including nothing at all. It is a legal requirement. As will the EU AI Act be. As EU consumer laws are.

Edited April 30 by emmaki

[uk1000]

34 minutes ago, emmaki said:

I don't remember ever being told by email about this

And while it's now been fixed on the Fiverr site (it no longer gets put in the page source), nothing has been done about the Fiverr seller pages stored in archive.org from when the profiles were changed to the new format until before it was fixed (in late November last year). Maybe Fiverr could contact archive.org (or any other sites like that) to ask them to remove those captures if necessary.

Edited April 30 by uk1000

[emmaki]

So the evidence is still up. archive.org doesn't have a particularly clear policy here (I haven't looked at the linked pages yet), but it appears that their policy is "you can remove it yourself".

Not very much going on in the terms: https://archive.org/about/terms.php

However, it does mean that there is evidence. Did anyone living in the EU recieve an email about this data breach? I live in Greece, which is in the EU, and I did not. I've checked my emails. GDPR doesn't show up at all, data breach, or "sorry", or "we apologize" or "compromised" or any of the other stock phrases that usually arise when a company does an oopsie and doesn't want a large fine.

Somehow, I rather think that GDPR fines will overshadow any extra funds clawed back from "price alignments" to SPP (remember the EU consumer law violation?)

[yourbrandingpal]

28 minutes ago, emmaki said:

So the evidence is still up. archive.org doesn't have a particularly clear policy here (I haven't looked at the linked pages yet), but it appears that their policy is "you can remove it yourself".

Not very much going on in the terms: https://archive.org/about/terms.php

However, it does mean that there is evidence. Did anyone living in the EU recieve an email about this data breach? I live in Greece, which is in the EU, and I did not. I've checked my emails. GDPR doesn't show up at all, data breach, or "sorry", or "we apologize" or "compromised" or any of the other stock phrases that usually arise when a company does an oopsie and doesn't want a large fine.

Somehow, I rather think that GDPR fines will overshadow any extra funds clawed back from "price alignments" to SPP (remember the EU consumer law violation?)

All the more reason that people file a class action lawsuit

[emmaki]

And yet another post deleted.

Why am I not allowed to post informative posts, but it's OK for someone immediately above me to suggest a class action lawsuit - something that I haven't suggested at all?

My point remains the same. There is every chance that the source page breach is a high risk GDPR breach, which requires disclosure to affected parties.

Is there a problem with me suggesting that Fiverr has a legally required duty of care to its users?

[uk1000]

11 hours ago, markp said:

If you look at what is being sent they are sending it as an image and telling people to take a screenshot and then scan the QR code. Look at the messages above, you can see this. There is nothing for Fiverr to scan.  The only thing Fiverr should do is block every variation on Fiverr as a username

They can scan more stuff in the message itself (eg. new buyers telling people to "click this QR Code" or tell people "Your account is currently suspended. To restore your account...". There will be quite a few words/phrases they can add to their list to check for.

If there's no URL in the message but there is a QR code image, Fiverr could also check the images and if any contain QR codes they could check what they contain and what URL they might point to. There are sites which analyse a QR code (without someone having to scan it). I'm sure Fiverr could do the same with some code/using an API.

This is a bit of code perplexity.ai suggested for Python. Fiverr could use something like this to check images which might contain a QR code and see what URL they point to (I haven't checked them so don't know how correct they are):

Quote

import cv2

# Load the image
image = cv2.imread('qrcode.jpg')

# Create a QR code detector
detector = cv2.QRCodeDetector()

# Detect and decode the QR code
data, bbox, _ = detector.detectAndDecode(image)

if bbox is not None:
    print(f"QR Code data: {data}")
else:
    print("QR Code not detected")

Another way it suggested:

Quote

from pyzbar.pyzbar import decode
from PIL import Image

# Load the image
image = Image.open('qrcode.jpg')

# Decode the QR code
data = decode(image)
if data:
    print(f"QR Code data: {data[0].data.decode('utf-8')}")
else:
    print("QR Code not detected")

Edited April 30 by uk1000

[emmaki]

Just a question. If UK is allowed to show how Fiverr could use code to handle the QR code stuff, why is my post that suggests how Fiverr could handle "fancy text" not allowed?

What is the fundamental difference between the two posts? What makes one acceptable, the other not?

EDIT: Thank you for approving this. But at the expense of comments that directly addressed what other users were saying, further discussed the issue, and provided deeper insights to continue the discussion. At the moment, it appears all I can post on this thread is complaints on how other people can post stuff that I can't, which doesn't really help the conversation at all, nor deliver any particularly great insight into the topics at hand.

Edited April 30 by emmaki

[daraodwyer]

Just got hit with one of these within an hour of creating my account. Naturally, I scanned the QR code but backed out once it started looking for payment information, it was a big red flag! Is there anyway to report the message/account?

[uk1000]

8 hours ago, daraodwyer said:

Is there anyway to report the message/account?

In the inbox put your mouse over the message. It should show 3 dots on the top right of the message. Click that and a menu should show with an option to report and one for "mark as spam".

So Fiverr still haven't stopped people changing their display names to "Fiverr Support" despite the previous reported accounts and posts about it.

Edited May 3 by uk1000

[geckotechgpt]

Hi All i'm new to Fiverr

I have received the same message I went to the QR code and saw they wanted my CVC number which in itself is highly unlikely to be requested.

I didn't put any details in but now wondering if the site has been hacked have people started to change their passwords as it's probably a wise thing to do.

If people have been scammed take screenshots of everything and contact your bank immediately, so anyone that has entered their details to the QR site, you have given your details to scammers by contacting your bank immediately they can freeze your account if you do it in time.

I have clicked back on he message and by clicking on the user you can see the account has no responses and was created in May 24 so if you do receive messages again, click on where it says fiverr support and it will give you a clue as to if the message is real or a scam 

 

Edited May 4 by geckotechgpt
updated my reply with important information

[maxivated]

Dear Fiverr Community,

I feel compelled to share a concerning encounter I recently had that I believe is part of a scam targeting Fiverr users. I received what appeared to be a legitimate message from Fiverr Support asking me to verify a payment due to suspicious activity on my account. Initially, it seemed legitimate, especially considering the swift response from Fiverr Support.

However, upon closer inspection, I noticed red flags. The message requested my email stating that "Fiverr" was holding a payment before confirmation. Additionally, I was instructed to verify transaction details to receive funds. This raised suspicions as I know that legitimate transactions on Fiverr do not require divulging sensitive information like payment card numbers or CVV2 codes.

Realizing the potential threat, I decided to investigate further online and stumbled upon similar reports of fraudulent activities targeting Fiverr users. It's evident that scammers are impersonating Fiverr Support and sending phishing messages to deceive unsuspecting users.

I consider myself fortunate not to have fallen victim to this scam. However, it's crucial to raise awareness within our community as many others may not be as vigilant. Always remember to scrutinize messages carefully, checking domain names and verifying the authenticity of requests. Legitimate transactions on Fiverr should always be conducted within the platform, with no need to disclose sensitive financial information.

I urge all Fiverr users to remain vigilant and report any suspicious activity immediately. Let's work together to safeguard our community against such malicious schemes.

Stay safe and alert,

Kamil K

[smartdezigns]

2 hours ago, maxivated said:

I urge all Fiverr users to remain vigilant and report any suspicious activity immediately. Let's work together to safeguard our community against such malicious schemes.

Report this to Fiverr Support. They'll take an action against that account.

[uk1000]

8 hours ago, maxivated said:

However, upon closer inspection, I noticed red flags.

Their message saying "The parcel has already been paid for by the buyer" would also have been a big clue that it was fake.

[shafkat_ppc]

Thanks for sharing