Fake WeTransfer / file-sharing download phishing — impersonates WeTransfer, Smash, Hightail, FileMail, or Transfernow claiming someone sent the victim a file, with a download link that requires Microsoft 365 or Google credential sign-in; Vade Secure 2023–2024: WeTransfer impersonation phishing up 400%; Cofense 2024: file-sharing lures used in 23% of enterprise phishing attacks

Phishing emails impersonating WeTransfer, Smash, Hightail, FileMail, or Transfernow claiming that someone sent the victim a file ready for download — with a download link that leads to a fake Microsoft 365 or Google credential-harvest page. Key facts: (1) Vade Secure 2023–2024: WeTransfer impersonation phishing surged 400%, exploiting the fact that victims regularly receive legitimate WeTransfer links and trust the pattern — the conditioning makes recipients click without verifying the sender domain; Cofense 2024: file-sharing lures were used in 23% of enterprise phishing attacks, making it the second most common phishing lure category after invoice fraud; (2) The attack chain is deceptively simple: the email looks like a routine file-transfer notification from a colleague or client, the "download" button redirects through a URL shortener or tracking proxy to a Microsoft 365 / Google login page, and after the victim enters credentials the phishing page completes the redirect to a benign file — so victims never realize they were phished; (3) The required "sign in to download" step is the specific red flag: legitimate WeTransfer, Hightail, and Smash file transfers almost never require the recipient to log in — files are downloaded directly via a public link without any account credentials; (4) The attack disproportionately targets corporate users: file-sharing phishing templates often include a real sender name, professional subject line, and plausible business context ("Design files from [Agency]", "Q4 budget from [CFO]") that slip past content filters. Warning signs: sender domain not wetransfer.com, hightail.com, smash.com, or filemail.com; download requires Microsoft / Google / Office 365 sign-in; no reference to which specific file was sent; download link expires in an unusually short window.