Avoid Phishing and Malware

With so many users on Upwork, suspicious activity may appear on the platform from time to time. While we take great measures to keep our global marketplace safe and we’ll continue doing our best to prevent or address suspicious activity, we also count on you to continue being diligent in protecting your information and access. Educating yourself and trusting your instincts are key to safety.

Start by following the general electronic security guidelines we’ve outlined to help you protect your computer and your information.

Keeping communication with other users on Upwork will also allow us to assist in protecting your security. Below are some additional tips and best practices to help you identify and avoid potential phishing, malware, or scam attacks.

  • Circumvention: When a client is requesting to take work or payment off Upwork, it is not only against the Upwork Terms of Service, but it’s also an easy way for you to fall victim to a scam since you will not be protected by Upwork’s programs, like Hourly Payment Protection
  • Phishing: This is when someone is trying to steal your password and information by directing you to a fake login page. Always double check that links or HTML files clients send you are for valid websites. Make sure the URL is correct, and never give out your personal information
  • Free work: This happens when you’re asked to submit work before a fixed-price milestone has been funded, or you’re requested to do the job as a “sample.” If a client requests sample work, it should be paid. Avoid this by never starting work before the official contract start date and the first milestone is funded. This is different than asking for samples of your past work or other questions or tests intended to vet your skills before engaging you
  • Payment for materials or to “submit an application”: Never pay anything for a client to consider your proposal/application or to work for a client, even if they claim that the money will be reimbursed. Although freelancers should generally pay their own expenses and have the tools they need to do the work, be very cautious if a client ever asks you to pay for something upfront or to pay them directly for anything needed for the project
  • Check-cashing fraud: This happens when someone asks you to process PayPal payments, purchase gift cards, or requests favors to cash or deposit checks and money orders in order to send the money somewhere else. These checks or money orders are likely fraudulent and your bank can hold you liable for the funds, even if you have already sent the money on to the “client”
  • Shipping scam: We’ve seen scams in which a client has requested to have goods shipped to you, which you would then repackage and mail elsewhere. These items can be stolen or purchased with a stolen card, and freelancers can be acting as the middleman
  • Clickbait: Be sceptical if you’re asked to click on external links or sign up for websites, as you may be falling for a click-bait scam, where a website makes money off of the click-through traffic. Research the website before clicking to see if there are relevant reviews or red flags. External links could also potentially lead to dangerous malware/ransomware
  • Personal info: Clients do not need access to your personal information, payment account information, driver's license, passport, social security number or other tax ID, tax forms, etc. Do not share this information
  • Other flags: Jobs that advertise benefits, medical insurance, and training programs are often signs of a scam client. Be extra cautious with those types of posts

Tips to Spot Email Scams

Best practices can help you spot and avoid email scams

  • Take a moment to look at the email address (Do the alias, sender, and domain look legitimate?)
  • Consider whether the content of the email makes sense (Would a Nigerian prince really want to give you a million dollars?)
  • Watch out for messages urging you to act fast before you think
  • Never respond to emails asking you to reply or call them with contact or financial information or personal information, such as date of birth or social security number (or other tax ID)
    • First, ask yourself if the sender has a legitimate reason to be asking for this information
    • Even if you answer the first question "yes," don't reply to the email or call the number provided. Contact the sender directly to determine if the request is legitimate (For example, call the number on the back of your credit card)
  • Beware of emails that contain links and/or attachments, and be careful before clicking or opening them. The easiest way to protect yourself is to not click on suspicious or unknown links
  • Malicious links are the most common scam tool and one of the easiest to spot if you know what you're looking for. At first glance, the URL may appear legitimate, but
    • The true URL could be hidden (a link's text can look like a URL, while link itself points somewhere else). Hover over the link to see where it's really pointing
    • A link shortening service might be used to hide the malicious destination
    • The URL may contain misleading typos, such as upvvork.com instead of upwork.com
  • Ask yourself whether you're expecting an attachment from this person
    • The only attachment file format that isn't a potential threat is .txt. Treat all other attachments as potentially malicious
    • Attachments, especially Microsoft Office files like .xls could contain hidden malware, even if they pass your virus protection scan
  • And when in doubt, confirm the message content with the sender before taking any action, including clicking links, saving/opening attachments, or calling the phone number. Confirm via a method other than email, if possible. If not, compose a new message. Make sure you are not replying to the suspicious message – that could go to the phisher

Want to learn more about protecting yourself from phishing? Click here to read the Federal Trade Commission's detailed advice.

If you believe you have received a phishing attempt through Upwork, from an Upwork user, or about your Upwork credentials, please report it to phishing-report@upwork.com.

For more information about reporting Upwork-related suspicious activity by a fellow user that isn't a phishing email, click here.

Worried you may have fallen victim to a scammer's malware attack? Continue reading in Detect Malware.

For an overview of online safety and security best practices, please visit our Security Center. Or check out our complete online security series by clicking the links below:

  1. General Electronic Security
  2. You are here — Avoid Phishing & Malware
  3. Detect Malware
  4. Get Rid of Malware
  5. Secure a Compromised Account

Log in to get personalized help.