Fake WeTransfer Document Alert

There are spam emails currently circulating that claim to be from staff at Burli trying to send a document via WeTransfer.

They do not come from Burli or any of our servers, accounts, or employees. We think they are a phishing attack, aimed at gathering email login information.

In early January 2019 many of our friends, customers, and partners began receiving fake WeTransfer notifications by email. The emails seemingly come from WeTransfer, apparently on behalf of someone at Burli Software. They’re not.

We think WeTransfer and the Burli email addresses are being used more or less at random. The To: and From: addresses are probably both harvested from a hacked address book that both the ‘sender’ and recipient appeared in.

We’re not cyber-security experts but from what we can tell, the emails do come from and link first to WeTransfer, the well-known and reputable file sharing service. From there things go south quickly.

Thanks to a trick with a .html file, the reader is quickly forwarded to a login screen. This screen (which no longer has anything to do with WeTransfer) asks for both the username and password of the user’s current email account. It offers several options – Hotmail, Office, Yahoo, Gmail, and so on: the usual suspects. Once the user enters those details and presses ‘Login’, no download happens.

Presumably some proportion of people give up at this point. Some probably contact WeTransfer for help. Some reach out to us, which is how we now know about this.

Our best guess is that instead of a document download from WeTransfer, what has actually happened is that the email login information (enough to log in and take control of that email account) has been sent deep into the unlit back streets of the internet.

If you followed that link and are here with questions, our urgent advice is to change the password on that account as soon as possible (now is a great time. Go on… we’ll wait right here for you while you change it). Adding 2-factor authentication to that account, which foils many of these attacks, is also a good idea. If it was a work account, let the IT folks know ASAP.

As far as we can tell, no Burli server, account or system is involved in these phishing attacks. We have no reason to believe the folks at WeTransfer have anything to do with it either. That means there’s very little we can do about it other than alert folks that these are phishing emails and that we are not currently sending anything – certainly not random and unexpected documents – to them via WeTransfer.