File-Sharing Fraud: Data Reveals 350% Increase in Hard-to-Detect Phishing Trend

Phishing has long remained a favorite strategy among cybercriminals, and as security awareness has evolved, so have their tactics. According to our H2 2024 Email Threat Report, which was released today, phishing makes up nearly 72% of all advanced attacks, with one method outpacing all others.

File-sharing phishing—a type of attack in which threat actors send emails that appear to be from trusted file-sharing platforms—has increased 350% year over year. This growing threat leverages popular file-sharing services and believable pretexts to trick recipients into entering their credentials into fraudulent login pages or downloading malware disguised as an important file.

Like all types of phishing, file-sharing attacks work by exploiting recipients’ trust. But, unlike more traditional forms of email phishing, this strategy is much more difficult to detect.

Our latest report delves into important trends and emerging strategies across the threat landscape, including increasingly sophisticated phishing attacks. Here are a few key highlights of the file-sharing phishing trend.

For many years, security-aware employees and legacy security tools used common telltale signs to detect phishing attempts, including poor grammar, spelling mistakes, or obvious indicators of compromise—such as the inclusion of malicious URLs or attachments. However, file-sharing phishing eliminates many of these signals, subverting security protocols and end-user expectations.

While these attacks still leverage typical social engineering tactics, like impersonating a trusted entity, they are virtually undetectable because they mimic unremarkable, run-of-the-mill business correspondences.

Sharing files and documents via email is a common practice for organizations in every industry. While the themes of some phishing attacks are likely to give most employees pause (such as unsolicited, too-good-to-be-true job offers or an email from the HR director requesting $500 in gift cards), the pretext of file-sharing phishing attacks is perfectly ordinary and, therefore, inherently believable.

File-sharing phishing attempts also often include subject lines and file names that are enticing enough to open but not so outlandish that they’d set off alarm bells. For example, a subject line might reference updates to the company’s compensation package, PTO policy, or bonus structure, or another scenario likely to pique interest without raising suspicion.

Additionally, because cybercriminals are adopting generative AI tools to craft phishing emails, their messages lack the awkward syntax or spelling and grammatical errors that might otherwise tip off targets and traditional security tools. These tools, combined with the growth of phishing-as-a-service kits, mean even threat actors with rudimentary technical skills can execute sophisticated phishing schemes with professional language, high-quality graphics, eerily realistic login pages for collecting credentials, and more.

File-sharing phishing attacks would be a pressing issue regardless of volume, as one single successful attack can have costly consequences. But considering that these attacks increased by 350% between June 2023 and June 2024, it’s clear that blocking these threats is rapidly becoming more critical than ever.

Part of what makes file-sharing phishing effective is that many attacks go beyond simply impersonating legitimate file-hosting solutions—they exploit real services like Dropbox, Sharefile, or Google Drive. According to data in our latest report, ​​60% of file-sharing phishing attacks are sent using legitimate domains that were registered more than five years ago.

By creating genuine accounts, cybercriminals can send legitimate emails with legitimate embedded links and only expose targets to malicious content after they’ve engaged with a shared file. Also, because many of these platforms offer free service tiers or trials, file-sharing phishing is relatively inexpensive.

The recent accelerated adoption of file-sharing platforms and e-signature solutions also benefits threat actors. With increases in remote and hybrid working over the past few years, employees have become more accustomed to engaging with sensitive materials through file-hosting platforms. Because employees often receive notifications to open or edit files from their peers, they’re unlikely to think twice about clicking a link and entering login information to review a document.

But even when cybercriminals choose not to use real platforms, it’s relatively easy to mask malicious links and trick traditional security solutions. For example, some attackers use URL shorteners or redirect capabilities, which direct targets to a legitimate website before sending them to a malicious site. Because traditional security solutions only analyze the top-level domain and not the entire URL or its final destination, these tactics decrease the chances of the link being flagged by legacy tools as malicious.

Although threat actors target every industry, the finance sector experiences the highest proportion of file-sharing phishing attacks, followed closely by construction/engineering and real estate/property management. This is likely due to a few shared characteristics.

First, because these industries rely heavily on file-hosting and e-signature solutions to exchange documents with their clients and partners, recipients are less likely to detect phony notifications among the flood of legitimate file-sharing notifications. Additionally, organizations in these fields often operate in fast-moving environments where people are used to making decisions quickly. Threat actors often exploit recipients’ sense of urgency, since time-critical tasks aren’t unusual.

Lastly, these three industries are among the most regulated. Given regulatory and compliance standards require employees to adhere to specific processes that often aren’t informed by emerging cybersecurity threats, their rigidity can create unexpected vulnerabilities.

Phishing is becoming more sophisticated, and file-sharing phishing is just one way threat actors are evolving their techniques to exploit trends in email use. Legacy security tools are no longer enough to defend against the latest generation of attacks — especially since new technologies like Generative AI can make malicious communications practically indistinguishable from safe emails.

The best way to stave off attacks is to adopt an email security solution that can detect even hyper-personalized and never-before-seen threats, and remediate malicious emails before end-users even have a chance to engage.

For more insight into file-sharing phishing attacks and the current email threat landscape, download our H2 2024 Email Threat Report.