cancel
Showing results for 
Search instead for 
Did you mean: 

Account Hacked - Money Stolen

trevordaniel2
Active

Hello,

 

I would like to share my recent experience and hopefuly get some views on how it happened.

 

So, here's the story...

 

It first showed up when I could not log into the Upwork wesbite. It kept telling me that either my username or password was incorrect.

 

I then attempted to get a password reminder and it tells me that my username was not found.

 

I then attempted to log a problem but could no because i wasn't able to log in....

 

I then contacted Upwork view the "anonymous" contact system. I wrote a detail explanation and sent it off...

 

I had no confirmation of the problem being recieved or acknowledged.

 

The next day I attempted to open another "anonymous" ticket... again it was sent and I received no acknowedgement or response.

 

I then decided to tweet to @UpworkHelp... with no response for 8 hours....

 

I then decided to phone Upwork in Los Angeles from here in the UK....

 

So, this is where it all gets scary....

 

The lady i spoke to at Upwork tried to confirm my email address and said that it was incorrect.... She asked some other identification questions and was happy i was genuine...

 

So, somebody had gained access to my account and changed the email address..

 

I received NO notification from upwork saying my email had changed....

 

It was decided at this point that my account had been hacked and it was escalated to the Account Security team...

 

I was then contacted by a very helpful chap from the Account Security team and he informed me that an addition payment method had been added to my account and $909 taken.

 

I had no notification from Upwork that the additional payment method had been added.

 

I had no notification that a withdrawal had been made..

 

I have no idea how they managed to add another payment method without knowing the answer to my "secret question"....

 

I am completely confused how this has manage to happen and quite annoyed to lose $900!

 

I am also very worried that it might be possible for this to happen again!

 

How did this manage to happen without me knowing anything about it????

 

Can anyone suggest how this hacked managed to do it?

 

Trev

46 REPLIES 46

re: "There's a simple solution to this-never leave any funds in your account with upwork"

 

Let me add some additional personal perspective on this idea. I really appreciate the notes from Rene and Margarate and others who have pointed out problems with this idea.

 

It IS a good idea, but it is not a solution to the root problem, and it is not always feasible.

 

As noted, a hacker might steal the money before a contractor can withdraw their funds, maybe because their faster, or maybe because the funds become available at night.

 

Also: with the withdrawal fees levied on withdrawal methods other than withdrawing to a U.S.-based bank account, it is understandable if some contractors want to avoid paying fees by leaving their money in their Upwork accounts for a while before withdrawing.

 

What I PERSONALLY do is withdraw my my money immediately after it becomes available. I know when it becomes available to me: 5:00 p.m. on Tuesdays. That's not a problematic time for me. It's not in the middle of the night, as the time might be for somebody in Europe.

 

And because I'm withdrawing to a U.S. bank, there are no fees. So within five minutes after money is available to me, I withdraw it.

 

Is that a "solution" to the fact that my account could potentially be hacked? Let's not call it a solution. Let's just say it is what I do now.

 

I'm very cognizant (especially after the conversation in this thread) about the fact that what I do won't work for everybody.

 

It is good to have some "best practices" ideas out there that fit with the way Upwork really functions right now, even if those ideas won't work for everybody.

 

It is also good to discuss ways that Upwork can be improved.


@Douglas Michael M wrote:

I changed my address in August, and received notices at both the old and new address. The one to the old address instructed me to contact Support immediately if I had not authorized the change.

 

[edited to add:] Should a positive opt-in/confirmation from the old address message be required?


 

I changed my address back in the Spring or early summer and I didn't get a thing via postal mail or email to confirm this.... 

sam-sly
Community Guru

I find this really concerning. I also withdraw my money as soon as I know it is there, and I check my account daily to make sure nothing has changed. This way, I hope if a hacker beats me to the withdrawal, they only get access to a smaller amount of funds as most of my payments are single article milestones or a small package of social media posts.

 

I just changed my account email address to see what happened. I already added a security email after I read another of these threads. When I changed, I received email messages to my new email, the old and my security email with a suggestion I contact Upwork if the change might be the result of fraud. Is this a change? I just did that a few minutes ago to see what happens. 

 

I do agree about better security measures from Upwork. I also understand it isn't a guarantee. 

 

I have a question. What measures can we take to avoid downloading files with malware, spyware, trojans, or any other nasty programs we don't want on our computers? I can use computer applications, but am not a programmer or developer. I am at the point where I am not applying for projects if a file is attached. I run a virus checker daily, but it slows my computer down as it updates itself then performs the check. I am not sure if it really would catch everything.

Samantha, some general advise

 

1. You should use anti-virus / malware on your device. And importantly, keep it up to date. However, this is a limited help - this type of apporach is not infallible. In fact the head of Symantec (who develop anti-virus software) said that anti-virus software only catches about 45% of malware.

 

2. Make sure software, especially browsers and browser plugins are patched and up to date (malware uses flaws in software to infect machines)

 

3. Use anti-exploit software - Malwarebytes offer a decently priced package. This protects you against malware installed via exploit kits that are online (this is becoming more common as people become more security savvy and fewer people click on attachments)

 

4. Be generally security aware - read up about it, its an interesting topic as its about people as much as technology

 

5. If two factor is available use it (by that I mean adding another factor to login to accounts with, such as  an SMS code recieved on your mobile)

 

Hope this helps a little

 

p.s. just editing to add that if you MUST open attachments from unknown sources or potentially compromised ones, you should ideally, to avoid infection , open attachments on a virtual machine. This sounds more 'techie' than it is, VM's are MUCH easier to install than they used to be, but I realise that might be off putting if you're not used to using them - just added here as an afterthought, just in case

 

Samantha, one thing I would definitely recommend is having two-factor authentication on your email address. Gmail offers this, I'm not sure about other email providers. Set your email password to something extremely secure and don't use it for anything else. You might want to have a separate email for your freelancing activities (if you don't already). The most critical thing is for your email to be secure. If you lose access to your email, you potentially lose access to everything.

TOP SOLUTION AUTHORS
TOP KUDOED MEMBERS