Earlier this year we warned of fake Dropbox emails that urge users to click on emails labeled as “urgent and highly confidential” documents. Those that followed these instructions were quickly added to the list of victims of a highly-effective phishing scheme as the redirect was to a false log-in page designed to capture user credentials. As our own Alessandro Pooro said at the time, “Dropbox is vulnerable to these common attacks as it was not originally designed with enterprise security in mind.”
It’s no secret that phishing campaigns against Dropbox users have spiked recently as cyber-criminals have identified this as a weak link in the security chain. Sensitive corporate and personal data is often contained throughout these accounts but are not subject to the same protections and level of vigilance as data on the corporate network.
In an effort to combat this, Dropbox has announced that they are turning to USB-based security keys to improve log-in security and better protect users from phishing attempts. Physical security keys are viewed as stronger than smartphone-based two-factor authentication solutions as the latter still exposes the user to the risk of being directed toward a fake Dropbox site designed to phish their password and verification code. However, using this type of file sharing service to share sensitive information is still wrought with risk and uncertainty.
Because information on Dropbox is stored rather than moved, it represents a “soft” target for hackers long after the information has been shared and forgotten about. Instead, users should consider a managed file transfer (MFT) solution that protects sensitive files before, during, and after transfer with guaranteed delivery. With the highest levels of encryption and a range of customization options, MFT is the safest and easiest way to exchange sensitive information.