I’m confused – I got an email from someone I don’t know with a Dropbox shared file link, but when I go, I don’t see that it’s the usual Dropbox domain. Should I sign in and proceed?
My general rule of thumb for all online communication is that if there’s anything at all that makes you suspicious, anything that seems wrong or any voice in your head that says “whoah, what’s with that typo?” or “that’s not the right URL”, then delete the email. If it’s ostensibly from an institution or organization you use or associate with, pick up the phone and call them to verify the email — or just log in to their Web site by typing in the URL (not clicking in an email message!) and seeing if there are any notices or notifications.
The fact is, there’s no limit to the ingenuity of hackers who are trying to steal your site credentials, whether it’s a bank, an online store, or just about any other Web site. Heck, if they can then log in and get your address, phone number and something like a social security number or credit card, they can sell that in the dark web and never even have to test and try things to see if they’re accurate. Definitely not good.
So you’re spot on with your skepticism and default reaction of rejecting anything you receive that doesn’t pass your “sniff test”.
But let’s have a closer look at this Dropbox scam because it should trigger all sorts of warnings if you’re paying attention anyway! First off, here’s the email that you’d receive:
Looks reasonably legit, coming from “DropboxMail” and with the subject of “Notification of new document”. Then there’s that big blue “View shared document here” button, who wouldn’t want to click it?
If you have a decent email program like Apple Mail, however, just move the cursor over the button and hover for a second or two. It’ll pop up a tip window that shows the destination URL:
“smkn2ponorogo.sch.id”? That’s definitely not “dropbox.com” as you would expect. In fact, .id is the domain name for Indonesia, as it happens. But let’s say you do actually click on the link. Instead of it prompting for your Dropbox account credentials (which would make sense) it prompts for something quite different:
That right there should be enough for you to reject this site: Why would reading a shared Dropbox file require you to log in to Office 365?? And then there’s what’s actually shown on the address bar:
They have a security certificate on the site – which is pretty impressive – but that’s clearly neither Dropbox or Office 365, so shut it down, delete the message and walk away.
Curious about the hosting company? Here’s the home page for smkn2ponorogo.sch.id:
Quite likely a completely legit site that hackers have snuck onto for this phishing attack.
One way or the other, continue to be skeptical and don’t click on Web site URLs in suspicious email messages, however dire they may make it sound. You’ll stay safer that way.