How to prevent yourself from getting scammed on Upwork and Freelancer

Introduction

Recently, we were working to protect client’s new product with TLL Activation Server. This is usual for us, but there’s a story behind we simply had to share with the world.  Unfortunately, our customer prefers to stay in anonymity. Let’s call him “Alex” in our article.

The story

Alex got a wonderful idea to create new application. As he is not much technical, he went to Upwork.com and hired developer for that job. He hired Sergey who resides in Russia. Sergey was initially delivering all necessary work, cooperation was good. Even if the work was done little bit late, the application was working.

During development Alex found, that his actual licensing system (consisting of WordPress plugin and Sergey’s integration code) has many bugs and doesn’t work as expected. Even many customers complained. For example, his online licensing system haven’t option to add customer manually, by keyboard. You could only do PayPal transactions to add new licenses to WordPress admin.  As we’re successfully protecting Alex’s another application for many years, he asked us, if we can help. Of course, we said yes. 🙂

As we’re trusted company for Alex, he handovered some of his access credentials to us. Yes, it’s not good practice, we always say it should be done different way – for example by adding extra account and setting his permissions. However, Alex don’t care much about that (or more precisely, he trust us enough to give us such information), so we got access to his wordpress admin, shared git repository with the developer (Sergey) to be able to quickly do our analysis and integrate TLL as soon as possible.

After few days, our work was done: We have reworked application’s license engine and deployment process using sources provided, connected it to our activation server and update service. However, Alex was still expecting some extra features from Sergey. Sergey received the updated code from us, so he could take our code and add features there. We were, of course, available on Skype, so he could ask us anything and we would help him resolve any issue with changes we did. No communication was done from his side.

Until today, Sergey was asked multiple times by Alex to provide actual (and later final) version he’s working on. His responses were always “I already updated the bitbucket (git)”.  We checked the bitbucket. The last repository update date was month ago, still the same date. After each Sergey’s message we checked that date. To be sure, we also downloaded the whole repository and checked the sources, which were really not updated.

The story continued. We asked Sergey to send us bitbucket URL to be sure we’re accessing same repository. Of course, he sent the same URL. He even sent the path to non-existing binary file and said to Alex he can test this file.

Alex’s patience was at the end and he sent an ultimatum to Sergey to provide working version within 2 hours (no matter way, bitbucket, e-mail, download link, whatever).  Sergey did not sent sources after that. Sergey sent the binary installation package. But that’s not all the story. The installation package was digitally signed by us (Jan Drozd software) and was not containing features Sergey should code! It was the file we build for customer, not the Sergey’s one! Of course, we didn’t gave to Sergey our code signing certificate, so he couldn’t technically generate this binary.

I think that the most fitting words for Sergey’s behavior is scam or fraud. Once or twice, there can be an error, but Sergey lied multiple times. Alex fired him and left very bad feedback on Sergey’s upwork account. Also he contacted the UpWork company to report this.

We decided to be fair, even if Sergey clearly wasn’t. We won’t post Sergey’s surname or more indetifying information about him, as so called Alex also decided to stay in anonymity. We used real Sergey’s name and fictive Alex name for good reason. Sergey is very common name in Russia so it is not identifying him. However, Alex’s real name is really less common and we promised him anonymity.

The resolution

First, it’s better if you find trusted developer, outside of Freelancer or Upwork system. It should preferably be the person you personally know and you have good long-term experience with him/her. Your chances to not meet such scammer are then better. Even some of the 5 stars developers sometimes on Upwork and Freelancer try to scam. That’s our personal experience.

In case, you have no other option, than Upwork and similar sites, focus these points:

  • Do not rent the cheapest developers. The lower the price, the better chance to get scammed. Get the price offer from some other renowned company for comparation.
  • Never allow Upwork developers to access your PC/Mac using TeamViewer or other remote access solutions. In case you have to do that, carefully check what he’s doing on your computer.
  • Never ever handover your own credentials.
  • Do not pay before you see the work is actually done!
  • In case you observe first fraud like behavior, investigate that more and if the developer can’t explain that, cancel the contract.
  • Verify the developer’s previous jobs. If you find just one problematic, you should better not hire him.
  • More specialized is your project, the bigger chance is that you’ll meet developer who won’t be able to finish your project.
Posted in News.