Fake WeTransfer from ‘Burli’

There are spam emails currently circulating that seem to be from someone at Burli trying to send a document via WeTransfer.

The emails do not come from Burli and should be deleted. They are likely a phishing attack, aimed at gathering email login information.

In January 2019 many of our friends, customers, and partners began receiving fake WeTransfer notifications by email. The emails seemingly come from WeTransfer, apparently on behalf of someone at Burli Software. They were not sent by Burli.

We think the To: and From: addresses are probably both harvested from a hacked address book that both the recipient and ‘sender’ appeared in.

We’re not cyber-security experts but from what we can tell, the emails come from and link first to WeTransfer, the well-known and reputable service for sending files. From there things go pear-shaped very quickly.

Thanks to a trick with an .html file, the reader is quickly forwarded to a login screen. This screen (which looks like a WeTransfer pager but isn’t) asks for both the username and password of the user’s current email account. It offers several options – Hotmail, Office, Yahoo, Gmail, and so on: the usual suspects. Once the user enters those details and presses ‘Login’, no download happens.

Presumably some proportion of people give up at this point. Some probably contact WeTransfer for help. Some reach out to us, which is how we know about this.

Of course, there never was a WeTransfer document to download. Instead that username and password (enough to log in and take control of the account) has been sent deep into the unlit back streets of the internet.

If you followed that link, entered account details, got no document, and are now here with questions, our urgent advice is to change the password on that account as soon as possible (now is a great time. Go on… we’ll wait right here for you while you change it). Adding 2-factor authentication to that account, which foils many of these attacks, is also a good idea. If it was a work email account, let your IT folks know ASAP.

If you got the email, were suspicious of it and are here to double-check: you were right. It’s fake. Delete it.

As far as we can tell, no Burli server, account or system is involved in these attacks. We have no reason to believe the folks at WeTransfer have anything to do with it either. That means there’s very little we can do other than alert you that these emails are probably malicious, aren’t from us, and that we are have not sent anything – certainly not unexplained and unexpected documents – to anyone via WeTransfer.