I purchased a domain at Cloudflare yesterday. Today I receive an email from notices@trustandsafety.cloudflare.com with the subject ACTION REQUIRED User Billing verification step required for your Cloudflare account.
Against my better judgement, I clicked the link, and it’s requesting pictures of my driver’s license and myself. I canceled after seeing that.
Any other Cloudflare users, is this normal? It says it will cancel my new domain if I don’t complete this within 24 hours? Seems very suspicious to me, but I’m open to everyone else’s experiences.
Searching Google for this issue brings very few results that relate.
Never. Sounds like a scam to me. Why would Cloudflare need a a pic of your DL? very strange. Get away from them and do it now. Stripe is even a bigger red flag.
Yup you would never send such PII over plain text email. Plus you would only need to send ID #s if say applying for merchant services. That should be done through your local bank.
The best policy is to trust nothing, question everything.
I reached out to support to make sure. If for some reason they come back saying that is legit, I’m going to take my business elsewhere. The whole reason I’m self-hosting is to avoid unnecessary personal information getting out there.
It is possible that they will want ID, but that would up to their payment processor (stripe?). I personally think this is not suppose to happen unless it’s somehow suspicious.
Apparently I somehow appeared suspicious to them. I asked Cloudflare support directly about this and it appears the request was legit. Here’s what happened when I ignored the request:
“The registration of the domain was found to be of a fraudulent nature and the purchase transaction was cancelled and refunded and the domain deleted.”
Not sure what made my purchasing a domain appear fraudulent. I’ve never ran into this type of thing before. My bank flags things sometimes, but never has a company given me such difficulty purchasing something.
Yeah, due to their actions taken against @liquidsuspension for calling the purchase of the domain “fraudulent” (I would question why Cloudflare would call it as such), I won’t be using their CDN service for my website.
Personally I would appreciate an extra step a company takes to verify things as it would make things safer for all of us… On the other hand, I would never ever send that sort of sensitive information over an e-mail…
Actually in our country it is totally against the AVG law to even ask for such information… That alone would raise numerous flags… But yeh… Not sure how things are in the US in that regard.