Fake WeTransfer from ‘Burli’

Starting in early 2019 spam emails circulated worldwide seeming to be from someone at Burli trying to send a document via WeTransfer.

These emails do not come from Burli and should be deleted. They are likely a phishing attack, aimed at gathering email login information.

In January 2019 many of our friends, customers, and partners began receiving fake WeTransfer notifications by email. The emails seemingly come from WeTransfer, apparently on behalf of someone at Burli Software. They were not sent by Burli.

We’re not cyber-security experts but from what we can tell, the emails come from and link first to a server at WeTransfer, the well-known and reputable service for sending files. From there things go pear-shaped very quickly.

Thanks to a trick with an .html file, the reader is quickly forwarded to a login screen. This screen (which looks like a WeTransfer page but isn’t) asks for both the username and password of your current email account. It offers several options – Hotmail, Office, Yahoo, Gmail, and so on: the usual suspects. Once you enter those details and press ‘Login’, no download happens.

Presumably some proportion of people give up at this point. Some probably contact WeTransfer for help. Some reach out to us, which is how we know about this.

Of course, there never was a WeTransfer document to download. Instead that email username and password (which are enough to log in and take control of that email account) have been sent deep into the unlit back streets of the internet.

If you followed that link, entered account details, got no document, and are now here with questions, our urgent advice is to change the password on that account as soon as possible (now is a great time. Go on… we’ll wait right here for you while you change it). Adding 2-factor authentication to that account, which foils many of these attacks, is also a good idea. If it was a work email account, let your IT folks know ASAP.

If you got the email, were suspicious of it and are here to double-check: you were right. It’s fake. Delete it.

As far as we can tell, no Burli server, account or system is involved in these attacks. We have no reason to believe the folks at WeTransfer have anything to do with it either. That means there’s very little we can do other than alert you that these emails aren’t from us, are likely malicious, and that we have not sent anything – certainly not unexplained and unexpected documents – to anyone via WeTransfer.