*Note* Much of this information comes directly from Payment Risk and should not be shared, either internally or otherwise
What Is NDF or ‘Non Delivery Fraud’
The main goal of NDF groups using Upwork is to earn as much money as possible, as quickly as possible. They do this via targeting higher paying job categories, higher rates, and attaining attractive and verified profiles so that they can then appeal to higher paying clients.
Typical NDF Behaviours:
- Hacking client accounts
- Blackmailing clients
- Build account job feedback through begging and/or bribery
- Sharing accounts with each other
- Leasing accounts from other Upwork freelancers
- Purchasing accounts from other Upwork freelancers
- Purchasing identity verification (webcam, ID docs) from others
Structure: Factions
- NDF are divided into groups and given quotas for how much they are supposed to earn
- Groups don’t necessarily communicate, but may share some learnings / best practices
Although there is clearly some degree of information / technique sharing amongst disparate groups of NDF users, they are separate entities that do not overlap in terms of membership as far as we can tell.
We see one group of NDFs operate in a particular way, and then you’ll see what seems to be another group of people sharing similar behavioural patterns. For example, one group of NDFs were wearing wigs for webcam verifications, and an entirely unconnected group shortly afterwards started doing the same, though they did not share members on Upwork.
Another group may have had some success using a specific email domain (Yandex, for example), and then we started seeing different groups doing the same - Though again, they appeared to be otherwise unconnected.
Structure: International Presence
NDF Respond & Change as Upwork Detects them
The first is the typical, original ‘Chinese Freelancer’ or agency. These users will typically initially deliver great work, and then start overbilling, and soon after stop delivering work to their clients. They will often retaliate against the client when confronted. This is not as common any more, but they do exist and we see them from time to time.
Then the second is the ‘Location Liar’ persona, more common currently, where often the user is often Chinese, but pretending to be an Eastern European freelancer. They do this because they are able to charge a higher rate than they would if they were telling the truth about being in China/India/Bangladesh etc. They typically start as a good freelancer, but will then likely stop delivering like Persona #1, or continue to work depending on client wealth/spend rate.
The third is the ‘Client’ persona, primarily used to hire other NDF users and build feedback, in order to appear more attractive to other clients. They are also used to check on other freelancer accounts, and train new NDF recruits on how to apply to jobs successfully.
The fourth persona we see is the ‘Paid/Secondhand/Piggyback’ user. As NDF has evolved, it has started engaging in more complex methods of evasion, and these are the most difficult for us to identify, as well as the most dangerous.
Sub Type A: Paid Freelancer
The point of these accounts is evading our identity verification process.
Secondhand Account Persona:
These will be an existing freelancer account, possibly with some jobs or earnings already, but they are approached by NDF either before or after the verification process.
Once the account has been sold, it will then be taken over by the purchaser, a member of one of the NDF groups. Below is an example of the type of approach NDF groups are taking:
Piggyback Account Persona:
These can involve either a new or existing account, and we use the term ‘piggyback’ because the NDF and the original non-NDF freelancer will operate out of the same account, sharing it. Here we’ll often see different disbursement methods, and two different IPs logging into the account.
Below is an example of what we often see from NDF users approaching other users to establish this type of account:
The table below details the key differences between the three leased account subtypes:
Scam / Spam Accounts:
These accounts are often detected as false positives for NDF accounts, but actually operate rather differently:
Limited Admissions / Other Non NDF
Users attempting to circumvent Limited Admissions are another group of freelancers that can appear to fit the NDF profile, but are generally not. Limited Admission ‘Gamers’, for example, do buy and sell accounts in order to evade Limited Admissions based on poor quality profiles, but are largely just people wanting to get on the platform to do genuine work rather than commit fraud.
Web Presence
Some of the Persona types detailed above (particularly the sold accounts) are real people, and so when looking for details about them online we will often find legitimate information. This has led to escalations in the past from EE to Payment Risk, assuming that there was a potential false positive, where the suspension was actually valid.
There are a number of cases when an NDF related issue might reaches EE, though the three most common of these are:
- False Positives - Users that Payment Risk has suspended for having NDF associations in error.
- Client Unhappy With Suspension - Clients who do not believe the FL they have been working with has done anything wrong and are upset their contract has been disrupted
- Client Unhappy with Upwork - For allowing them to be defrauded and losing money/time on a contract with a fraudster.
In the first two cases in particular, we should do as much research and investigation as possible into the validity of the suspension on Payment Risk’s part, using the information presented in the first part of this document, as well as the additional Payment Risk centric details below.
Research Tools
There are some useful tools, most of which are also used by Payment Risk, that can help us make a determination about whether a freelancer is NDF:
- IP Quality Score - This site lets us check the ‘quality’ of an IP address (how likely it is to be fraudulent), and provides a host of other useful information (see below):
- iOvation - Searching by user ID in iOvation will give us a list of accounts and devices associated with that ID. This can help detect less savvy NDF user groups, as well as other types of multi-account or fraudulent users.
- Maxmind - Searching by IP address give us a much more complete set of information about an IP address than is usually available via OBO, such as specific location (including city and postal code), ISP, organisation and more.
- Check Mail - Tool that allows us to check whether an email address used to register an Upwork account is a ‘disposable’ address, which are often used when creating NDF accounts.
Other EE NDF Research Methods
Aside from the tools mentioned above, and the information detailed in the Payment Risk section below, there are numerous methods EE can use as a team to attempt to establish whether a user is NDF.
- Hourly / Manual - It’s a very common tactic for NDF users to insist on changing from the client’s suggestion of a Fixed Price contract to an (often unusually high) hourly rate. Once the contract is established, they will often push for Manual time to be allowed too.
- Language - Does the user claim to be from an English speaking country, or to be fluent in English, but struggle to communicate in coherent/fluent sentences in the chats with their client?
- Communication - Is the suspected user delaying and pushing back the potential due date of the project regularly? Not always a warning sign but combined with other tells this can show that the user is attempting to extract more hours from the client before abandoning the project.
- Withdrawal Method Mismatch - A major warning sign, seeing an accounting entity in a name which does not match the one being used by the FL strongly indicates that they are lying about their identity.
- Profile Pictures - Does the profile picture used by the FL look surprisingly professional / mismatched with the name they are using? A reverse Google Image Search might reveal that it’s been stolen from elsewhere.
- Non-Delivery - In cases of false-positive suspensions, we might see evidence of the FL delivering a final or close-to-complete work product. In genuine NDF cases where the user is appealing, we should check recent contracts to establish whether they had in fact delivered work.
False Positives
If we have cause to believe that a user has been incorrectly suspended and that their case may be a false positive, we should:
- Create a ticket via email to: tns-investigations-escalations@upwork.com
- This email should detail the reasons we believe the account requires an additional review
- Add as much information as possible regarding the case as possible
The detection and handling of NDF users and groups on Upwork is a process largely handled by Risk Management. Included below is some useful information about their processes and some background / ‘behind the scenes’ detail which will be useful to us when working with them on NDF cases which have been escalated to us.
Payment Risk will make a decision on freelancers based on the level of confidence they have the user is part of NDF. Based on this level of certainty Payment Risk will adjust their actions that impact clients, including ending contracts and reversing payments, to minimize impact to the freelancer.
The following table shows the action Payment Risk took and how you can identify it in OBO:
As before, Payment Risk will initiate the ticket with the client to inform them of the action taken. If the client responds the ticket will automatically be reassigned to Client Retention.
Appeal / Verifications
Freelancers who are determined possible NDF or confirmed NDF and allowed appeal will be required to further verify their account before being resumed.
If the freelancer does not respond within 7 days their contracts will be ended and earnings reversed. Otherwise Payment Risk will wait until the outcome of the account verification before taking further action (either end the contracts/reverse the earnings or resume the FL).
Codes Used By Payment Risk in OBO:
Below is a list of codes used by Payment Risk when noting NDF accounts in OBO. Although the list is incomplete, it does help us get some more insight as to the reasons users have been flagged as NDF, and combined with our own research can help us decide whether a user requires an additional review when we are handling an escalation:
Macros Used by Payment Risk when Handling NDF-Affected Clients: (customised for HV CLs)
|
Leaving a VM |
Hello, My name is (insert your name) calling from Upwork. I’m calling to speak to you regarding some urgent information about your active service contract. If you would, please return my call at ( use (866) 640-0544 for US clients, 16503168006 for international callers), M-F 24 hours a day and either myself or one of my colleagues will be able to explain the issue and answer any questions. I’ll also follow up with an email. Thank you. |
|
No phone number/ No VM |
My name is (insert agent name) and I’m writing to follow up on a message I’ve just left for you. During our regular reviews, we’ve discovered some inconsistencies that required further investigation. After in-depth review, we’ve reason to believe a Freelancer you’ve been working with, insert Freelancer first and last name, is in violation of our Terms of Service and therefore non-compliant and I’d like to speak to you about it in more detail. Please provide your preferred telephone number and the best time to reach you, I’m happy to give you a call. I do ask that you not alert your Freelancer to the matter. Once we’ve had a moment to speak with you, we will send the Freelancer proper notification. I look forward to your reply and speaking with you at your earliest convenience. Best regards, (insert your name) Upwork Premium Support |
|
No response to VM or emails and funds are recoverable (at least a portion if not all) |
The Upwork Trust and Safety team regularly reviews activity on our platform to safeguard against persons posing as legitimate members of our community. In a recent review, we found compelling evidence to support behavior that is in violation of our Terms of Service, and we’re prepared to take further action against (freelancer name) to protect you and the community. Historically, freelancers identified in this group will start out as appearing to be legitimate developers. Some will deliver great code for the first few projects, then fail to deliver, or deliver bug and malware riddled code, once they've secured high dollar contracts and been paid on those contracts. Our status as an escrow company doesn't allow us to recover funds once they have been withdrawn from the platform. Fortunately, we were able to place a hold on the Freelancer’s account which has prevented him from withdrawing $xx and these funds will be returned to your (insert UPM here). After processing is complete on our end, you can expect to see the credit to your (insert UPM here) within 3-5 business days. We understand the impact that this action may have on your project and ultimately your business. So we want you to know that we'd never take such drastic steps without good cause. If you have any questions or need support in any way, please don't hesitate to contact us. |
|
No response to VM or emails and NO funds are recoverable |
The Upwork Trust and Safety team regularly reviews activity on our platform to safeguard against persons posing as legitimate members of our community. In a recent review, we found compelling evidence to support behavior that is in violation of our Terms of Service, and we’re prepared to take further action against (freelancer name) to protect you and the community. Historically, freelancers identified in this group will start out as appearing to be legitimate developers. Some will deliver great code for the first few projects, then fail to deliver, or deliver bug and malware riddled code, once they've secured high dollar contracts and been paid on those contracts. Our status as an escrow company doesn't allow us to recover funds once they have been withdrawn from the platform, clients stand to lose all the funds paid, as well as the time already spent on the project causing delays and missed deadlines so we do take aggressive action to ensure we can recover as much of your money as possible, and get you back on track as soon as possible. While this news may come as a shock to you, we assure you we’ve done our due diligence and are acting on behalf of your and the Upwork community’s best interests. With that being said, please take the next 24 hours to reset any passwords, permissions, and accounts you’ve shared with the freelancer and back up any documents or data to which they’ve had access to. After being removed from the platform, it is common that a freelancer will contact a client directly offering to finish the job or recommending another developer. If you are approached, it’s best for you to decline the offer, or ignore the freelancer altogether. I certainly understand hesitation you may have in accepting this outcome to your contract. As mentioned, many of the freelancers are well versed in securing trust in their abilities to deliver on project expectations. And needless to say, this may have a profound impact on your project and business. Just know that Upwork would never make the determination to end a contract without a justifiable reason. Our success lies in the success of our clients and their freelancer relationships. Our goal is to foster long term, successful relationships. If you're interested in speaking with one of our Talent Sourcing agents to assist you in locating a new freelancer to continue your project, I'd be happy to arrange that for you. Before providing a shortlist of freelancers for you to begin the interview process with, we will review the shortlisted freelancers by our Risk Management team. While we can’t 100% guarantee the freelancer, we can provide you with a bit more confidence that the freelancer is compliant to our ToS and can get the job done for you. I'd also like offer you review of the code submitted by the freelancer. Our trusted developers can review the code and determine if there are any inconsistencies, if the code is usable, and if not yet finished, the skill level of developer you would need to hire ,and approximately how long it should take to finish. These services are offered free of charge, in hopes to help you get your projects back on track. Best regards, (your name) Upwork Premium Support |
|
CL wants to pay FL for completed work |
I certainly understand your position. All users of Upwork must agree to adhere to the Upwork Terms of Service in order to use the platform. When we find that a user is non-compliant, we're unable to protect that user's earnings and are obligated to send the funds back to the Client's original payment method. - We realize that you may be inclined to pay the freelancer off platform to continue working with them, but this is something that is highly discouraged. Doing so puts you at risk of losing additional time and money, and we are unable to provide any sort of security assurances. We have an obligation to protect not only you, but the members of our community and cannot share our methods of review, nor the exact specifics of the review of your Freelancer. If you wish, please review section 3 of the Upwork User Agreement for as much detail as we can provide. You can find the Agreement here: https://www.upwork.com/legal/. |
|
CL wants to keep working w/ FL |
I certainly understand your position. All users of Upwork must agree to adhere to the Upwork Terms of Service in order to use the platform. When we find that a user is non-compliant, we're unable to protect that user's earnings and are obligated to send the funds back to the Client's original payment method. - We realize that you may be inclined to pay the freelancer off platform to continue working with them, but this is something that is highly discouraged. Doing so puts you at risk of losing additional time and money, making payments off the platform and we are unable to provide any sort of security assurances if you choose to do so. We have an obligation to protect not only you, but the members of our community and cannot share our methods of review, nor the exact specifics of the review of your Freelancer. If you wish, please review section 3 of the Upwork User Agreement for as much detail as we can provide. You can find the Agreement here: https://www.upwork.com/legal/. |
|
CL wants more money |
I appreciate your request and understand your position. Upwork is limited in the actions we can take with funds processed through the platform, being that we operate as a licensed escrow agent under very specific rules and regulations. While we do have the authority to deposit payments to a freelancers preferred payment method at their request, the option to debit funds is not available. Once withdrawn from the platform, these funds become property of the freelancer and cannot be recouped. We never want to benefit from the misfortune of our clients, therefore we have returned the services fees paid to us over the lifetime of this contract. As a courtesy to you as a valued Upwork client, we’ve also provided an additional platform credit of $xx.xx that can be applied towards future invoices. While we are unable to offer additional funds, let us know if we can provide support to you through education on best practices or talent sourcing assistance in order to locate a new freelancer. If you have further questions or concerns, please let us know. |
Frequently Asked Questions:
- Is there a simple way to tell whether a freelancer is able to appeal an NDF suspension?
- When Payment Risk suspends an NDF user from ZenDesk, they are essentially saying that person is not able to appeal because of the strong evidence they found. However, because they are not always correct, if the user reaches out via other means and there is an escalation, we want to make sure that case is reviewed.
- Are there any stats that show Payment Risk’s rate of false positives?
- Right now we reinstate approximately 5% of ‘Confirmed Fraud’ cases. We are actively moving towards more granular information being available based on fraud type.
- How often when EE has new / qualitative information to share with Payment Risk about an NDF user does that make a difference to your decision when making a further review?
- Rarely. We look again at the standard methods we already used to make the decision and review them again, basically reinstatement cases are more to do with performing QA on ourselves than additional information provided from EE.
- If EE receives an escalation from a user who has contacted us via Social Media about an NDF account suspension, should we make this clear and give the account info to Payment Risk for further review?
- Yes, this would be useful, though it’s possible that the SM account has also been sold and so it doesn’t necessarily mean it will add weight to the potential for the suspension to be a false positive.
- Because EE gets a lot of pushback on these cases, from both the user and elsewhere in the company, would it be possible to share information with us about the type of NDF persona / fraud that has resulted in the suspension?
- Yes, we have agreed to start doing this moving forward.
- Could we have access to a tool to help reset the issues that False Positives create (such as ended contracts / resultant JSS issues / reversed funds etc)?
- This will be considered this quarter.