Cloudflare billing verification email - legit?

I purchased a domain at Cloudflare yesterday. Today I receive an email from notices@trustandsafety.cloudflare.com with the subject ACTION REQUIRED User Billing verification step required for your Cloudflare account.

It’s requesting me to click a link that begins with Identity Verification | Stripe

Against my better judgement, I clicked the link, and it’s requesting pictures of my driver’s license and myself. I canceled after seeing that.

Any other Cloudflare users, is this normal? It says it will cancel my new domain if I don’t complete this within 24 hours? Seems very suspicious to me, but I’m open to everyone else’s experiences.

Searching Google for this issue brings very few results that relate.

Never. Sounds like a scam to me. Why would Cloudflare need a a pic of your DL? very strange. Get away from them and do it now. Stripe is even a bigger red flag.

Thanks, I thought so. It has all the tell tale signs of a fraudulent email, but I just wasn’t sure if this was common with that service.

Yup you would never send such PII over plain text email. Plus you would only need to send ID #s if say applying for merchant services. That should be done through your local bank.
The best policy is to trust nothing, question everything.

Never had to give any identification to cloudflare. Stay away or call cloudflare support to confirm.

I reached out to support to make sure. If for some reason they come back saying that is legit, I’m going to take my business elsewhere. The whole reason I’m self-hosting is to avoid unnecessary personal information getting out there.

Are you using a paid product or feature of cloudflare?

Just bought a domain with them. I’m not using any extras really.

It is possible that they will want ID, but that would up to their payment processor (stripe?). I personally think this is not suppose to happen unless it’s somehow suspicious.

Apparently I somehow appeared suspicious to them. I asked Cloudflare support directly about this and it appears the request was legit. Here’s what happened when I ignored the request:

“The registration of the domain was found to be of a fraudulent nature and the purchase transaction was cancelled and refunded and the domain deleted.”

Not sure what made my purchasing a domain appear fraudulent. I’ve never ran into this type of thing before. My bank flags things sometimes, but never has a company given me such difficulty purchasing something.

Take your business elsewhere, you should not need to deal with such hassles. Hover https://www.hover.com

Yeah, due to their actions taken against @liquidsuspension for calling the purchase of the domain “fraudulent” (I would question why Cloudflare would call it as such), I won’t be using their CDN service for my website.

Google domains is a safe bet.

I switched over to Porkbun and all is well so far.

Good that you got things resolved. Don’t know anything about Porkbun but will check them out, alternatives is always a good idea.

Apparently, according to this:

the e-mail was legit.

https://community.cloudflare.com/t/phishing-email/386863

Personally I would appreciate an extra step a company takes to verify things as it would make things safer for all of us… On the other hand, I would never ever send that sort of sensitive information over an e-mail…

Actually in our country it is totally against the AVG law to even ask for such information… That alone would raise numerous flags… But yeh… Not sure how things are in the US in that regard.