Loading
{ "global": { "icon": "info", "start": "", "end": "" }, "responsive_group_1": { "country": "All", "usertype": "all", "icon": "info", "start": "", "end": "" }, "responsive_group_2": { "country": "All", "usertype": "all", "icon": "info", "start": "", "end": "" } }
| Help Center
[ "filter-int" ]

**Account Takeover (ATO) / Hijacked Accounts

Articles in this section
Recently viewed articles

IMPORTANT:

On top of following the process we have for handling hijacked/ATO issues detailed in the drop-downs below, IF the user has reported withdrawal of funds by the hacker, we need to ALSO ping the AS team in #ask-account-security right away. Our speed in pinging them in AS channel matters a lot on top of the ticket being escalated to them. 

 

Make sure to add helpful indicators about reports of hacking when reporting to AS.

 

Examples of helpful notes:

“USER: I am getting so many mails of invitations from upwork ?”

“Also he keeps receiving spam emails from upnotifcation3@gmail.com

 

Receiving a lot of spam emails from such fake Upwork email address is a clear sign that user’s Upwork account is hacked/ATOd and the attacker is trying to bury genuine Upwork notifications inside these junk emails.

 

Such cases should immediately be escalated to #ask-account-security

 

What is an ATO account?

An ATO account is an account in which another person (not the Account Owner) has actually gained access to the AO’s account in which the actual AO may or may not have access to said account. 

How is an ATO account different from a compromised account?

With a compromised account, the other person (not the Account Owner) attempted to get in the account, but was NOT able to gain access due to other security measures (i.e. security question) whereas with an ATO case, the other person (not the Account Owner) DID gain access to the account and the actual Account Owner may or may not have access to said account.

ATO: Attacker is able to successfully log in and edit user data, apply or list jobs, etc.

Compromised Account: Attacker knows username/password but was not able to fully login to the account due to a second factor of authentication (Security question, SMS, one-time-passcode)

What is an ATO fraud charge claim?

ATO fraud charge claim - When an account has been taken over by an unauthorized party and funds were charged and/or funds were removed from the account in which the actions were not prompted by the account owner. If this is the case, see “ATO Fraud Charge Claims” dropdown.

What is a compromised email?

Compromised emailThe other person (not the owner of the email address) attempted to get in the email account. If the user believes their email account may be compromised, see “Compromised Email” dropdown.

 

Possible ATO 

IMPORTANT: If none of the paths showcase ATO, but the situation just doesn’t feel right, it’s highly encouraged to ping #ask-account-security channel to take a deeper look! We would much rather have a report that turns out to be nothing than to overlook a possible ATO account.

 

*Remember: be a detective! 

  • Calls & Chats are easier since we’re chatting with the customer live and can probe for information easily. 
  • For ticket cases, the more we probe back and forth via email, the more we potentially put the customer’s account at risk. 
    • If the ticket doesn’t populate BOBO, try to search OBO with first/last name, first part of email address, other info given in ticket, past tickets for unique info e.g. transaction ID, a contract number, etc. 
    • If there are no clear ATO changes within the last 2 weeks and the cust. doesn’t specify when they were able to last log in, take a look a little further back and if you can’t see anything suspicious, yet the customer states something is wrong / doesn’t feel right, reach out to #ask-account-security to be safe

If the user mentions something similar to the following, but not limited to these examples below:

  • I have fraudulent charges in my Upwork account that I didn’t process
  • My account is hacked OR Someone hacked my account
  • Unable to access account (or email) and I didn’t make any changes to it
  • Tried to reset password, but received an error that email is not associated with account
  • Something weird is happening in my account that I didn’t do
  • Anything related to an unknown payment / withdrawal method (for unknown methods, skip checking User Actions and go straight to the “Lock Account” drop-down to see “If an “unknown withdrawal/payment method” case”)
    • There’s a payment / withdrawal method in my account I didn’t add
    • I noticed a payment/withdrawal method I did not add but I do not see it anymore
    • I received an email saying a payment/withdrawal method was added, but I do not see it in my Upwork account

Check “User Actions” in OBO to see if any of the following changes were made in the past 2 weeks (or, since the user believes they last logged in) to their:

  • If YES, this is a possible ATO, go to "Lock Account & Send to Account Security" dropdown for additional information.
  • If NO, and user does NOT qualify as possible ATO where they state they are having trouble getting in their account, see: **User Login Trouble
  • If NO, and user does NOT qualify as possible ATO where they claim an unauthorized/fraudulent charge, see: **Handling Unauthorized / Fraudulent Charge Reports
ATO Fraud Charge Claims

ATO fraud charge claim - When an account has been taken over by an unauthorized party and funds were charged and/or funds were removed from the account in which the actions were not prompted by the account owner.

If the user mentions something similar to the following, but not limited to these examples below:

  • My funds were withdrawn and I didn’t do it
  • My billing/payment method disappeared
  • A new billing/payment method that’s not mine was added
  • Someone put a charge on my account, but I didn’t set up this contract

If none of the user’s info seems to showcase ATO fraud charge claims, but the situation doesn’t feel right, ping #ask-account-security channel.

If an Unauthorized Disbursement/Withdrawal:

Check OBO to see if a new UPM (within last 2 weeks) was added.

  • If yes UPM added (in User Actions & looks like this);
    • Chat/Phone - ask user if they added a recent UPM
      • If YES, not ATO; may need to educate on timeframe of disbursement and/or disbursement schedule
      • If NO, add a tag (left side of ZD ticket) of “ato_potential_loss” and see “Lock Account & Send to Account Security” dropdown
    • Ticket - add a tag (left side of ZD ticket) of “ato_potential_loss” and see “Lock Account & Send to Account Security” dropdown
  • If no UPM added; go into OBO transactions and click the Ref ID for the withdrawal and find the “Description on invoice” field
    • If Disbursement - scheduled disbursement, not ATO case; may need to educate on timeframe of disbursement and/or disbursement schedule
    • If Withdrawal - manual withdrawal, possible ATO - add a tag (left side of ZD ticket) of “ato_potential_loss” and see “Lock Account & Send to Account Security” dropdown


If an Unauthorized Charge:

Some elements to check for may be, but not limited to:

  • Was this a 14-day auto escrow release?
    • We may need to educate client on how payments work on the platform.
  • Was this an automatic hourly contract charge?
    • We may need to educate client on how payments work on the platform.
  • Is there a contract that the client is unaware of? If so, do they perhaps have a hiring manager that may have hired this freelancer?
    • We may need to educate on hiring permissions.

If there seems to be charges to the client’s account due to a contract they did not setup or bonuses/misc payments they did not submit, see “Lock Account & Send to Account Security” dropdown.

Compromised Emails

Compromised email - The other person (not the owner of the email address) attempted to get in the email account.

If user believes their email address IS compromised (no need to ask in ticket cases) -

  • Request user to email accountsecurity@upwork.com from a secured email that is not associated with the Upwork account giving them the agent created ticket number to reference in their email
  • In agent ticket, add an internal note that this is being done by the user, THEN see Lock account & send to Account Security dropdown
Lock Account & Send to Account Security

If an ATO fraud charge claim - immediately see a TL to suspend the AE of the FL that is/will be receiving the funds and add a tag (left side of ZD ticket) of “ato_potential_loss” and follow map.

If an “unknown withdrawal/payment method” case -

1. Confirm the withdrawal / payment method is not owned by the customer (be sure to check the “deleted” methods, as well). If not owned by the customer, continue to next step.

2. Follow the map steps as outlined below

3. In addition to following the full map steps, ping the ticket link & OBO URL to #ask-account-security Slack channel informing team this is an “unknown withdrawal / payment method case”

If a user changes their mind stating no longer hacked

In these cases, check User Actions in OBO for any changes to the user’s email address, password and/or security question/answer. Check for inconsistencies that include, but are not limited to IP addresses from different countries. In addition, we can also check and compare the IPs through the ZD ticket 'Events'. If you feel this is still an ATO situation, follow the steps in the “Lock Account & Send to Account Security” map above.

Articles in this section
Recently viewed articles

Was this article helpful?

Upwork Help

Do you need additional help?

Contact Support

Get Support

Log in for personalized service and assistance.

Login

Learning Hub

Expand your Upwork knowledge.

Learn