file.online / Knowledge Base / Trust

Security & Trust Guide: How to Avoid Phishing and Verify File Links

A practical, public guide to safe file sharing — created to protect our users from scams, fake websites, and malicious links.

1. Trust & Threat Model

In the context of secure file transfer, technical security (encryption) is only half of the equation. A robust Threat Model must account for the weakest link in any cryptographic system: human trust. While we secure the data channel with mathematics, attackers target the user's perception of reality through Social Engineering.

This guide defines the "Attack Surface" that exists outside of our servers—specifically, how adversaries attempt to bypass encryption by tricking users into voluntarily handing over credentials or downloading malicious payloads from fake sources.

Core Security Principle: "Zero Trust" for Links Encryption guarantees confidentiality, not authenticity. If you receive a link via email or chat, verify before you trust. The safest method is Out-of-Band Authentication: navigate manually to our website and enter the transfer code yourself.

The Adversary's Capabilities (What you must assume)

UI Cloning & Spoofing: Attackers can create pixel-perfect replicas of our website. Visual familiarity is not proof of legitimacy.
Domain Masquerading: Adversaries use "Typosquatting" (e.g., send-fiIe.online) to register domains that look identical to ours at a casual glance.
Psychological Manipulation: Attacks often rely on creating a false sense of urgency (e.g., "Urgent Invoice") to force users to bypass critical thinking.
The HTTPS Fallacy: A green lock icon means the connection is encrypted, not that the site is safe. Phishing sites also use HTTPS.

Understanding these capabilities is critical. The most common vehicle for delivering these deceptive attacks is a technique known as Phishing, which we will analyze in the next section.

2. What Is Phishing?

Phishing is a form of digital masquerade. Attackers do not "hack" your password; they trick you into giving it to them voluntarily. They achieve this by mimicking the design, language, and tone of services you trust (like file.online, Google, or your bank).

The goal is always the same: to short-circuit your critical thinking using urgency or curiosity.

The Anatomy of a Scam (Case Study)

Learning to spot a phishing attempt is like spotting a counterfeit banknote. Look at this example of a malicious email and notice the Red Flags:

            FROM: Support Team <security@update-file-service.com> (⚠️ Weird domain)

            SUBJECT: URGENT: Your file transfer expires in 10 minutes!

"Hello User,

Someone sent you a sensitive file. You must login immediately to verify your identity, otherwise your account will be locked."

(⚠️ High pressure button)

Red Flags Explained

Generic Greeting: "Hello User" instead of your name or a specific code. A real transfer usually has a specific context.
Manufactured Urgency: "Expires in 10 minutes", "Account locked". Attackers want you to panic so you don't check the URL.
The "Login" Trap: Legitimate file transfer services (like ours) rarely ask you to "log in" to receive a file. We use transfer codes.

Comparison: Safe vs. Unsafe

❌ The Danger Zone

"Click here to login with your email password to view the document."

Why it's bad: It asks for your credentials. Never give your email password to a third-party site.

✅ The Safe Way

"You have a file ready. Transfer ID: X8K-9P2. Go to send-file.online and enter this code."

Why it's safe: It gives you a passive code. You are in control of where you enter it.

The Critical Step Even if a message looks perfect and has no typos, you can still be tricked if you don't look at the address bar. The most sophisticated phishing attacks use perfect design hosted on a fake domain.

3. Verify the Website (The Address Bar Test)

Attackers can clone our design, steal our logo, and copy our text. There is only one thing they cannot fake: The Domain Name in your browser's address bar. This is the "source of truth." However, attackers use sophisticated optical illusions to trick your eye.

Mechanism 1: The "Subdomain" Trap

URLs are read hierarchically from right to left. Attackers often create long URLs where the real domain is hidden at the end, while the beginning looks familiar.

Example of a deceptive URL:
https://send-file.online.secure-login-update.com/login
            Analysis:

            1. secure-login-update.com ← REAL DOMAIN (The Attacker)

            2. send-file.online ← Just a subdomain (fake label)

            Rule: Always look at the last part before the first single slash (/).

Mechanism 2: Typosquatting & Homographs

Your brain often auto-corrects typos when reading quickly. Attackers register domains that look visually identical to the target but use different characters.

URL Type	Visual Appearance	The Trick
✅ Official	send-file.online	The legitimate domain.
❌ Fake	send-fiIe.online	Capital 'I' instead of 'l'.
❌ Fake	send-file-online.net	Hyphens instead of dots + wrong ending.
❌ Fake	sẹnd-file.online	Tiny dot under 'e' (IDN Homograph).

The "HTTPS" Myth (The Green Padlock)

Myth: "If I see the padlock icon or HTTPS, the site is safe."
Reality: HTTPS only means the connection is encrypted. It does not mean the site owner is honest.

Today, 90% of phishing sites use HTTPS. A secure connection to a fake bank is still a connection to a fake bank. Never trust a site solely because it has a padlock.

The Ultimate Defense: Manual Entry The only way to be 100% sure you are not on a spoofed site is to ignore the link entirely.

👉 Type send-file.online into your browser manually.
Then, use the "Pick Up" feature to enter your code. This bypasses all link-based attacks.

4. Understanding Links, IDs & Keys (The Anatomy of a URL)

To use our service safely, you must understand the difference between a Public ID and a Private Key. Often, these two distinct pieces of information are combined into a single "Magic Link" for convenience. However, from a security perspective, they are worlds apart.

Visual Breakdown of a Magic Link

Let's dissect a typical secure transfer link. It has two critical parts separated by a Hash Symbol (#).

            https://send-file.online/download.html?id=XH5-9K2-MPZ#key=SECRET-KEY-123
          
1. The Transfer ID (Public)
                Everything before the hash (#).
                
                This part is sent to our servers. It tells us which encrypted file you want to download. 
                Knowing the ID allows you to download the "blob" (the encrypted pile of data), but not to read it.
              
2. The Encryption Key (Private)
                Everything after the hash (#).
                
                By web standards, browsers NEVER send this part to the server. 
                It stays on your device. Your browser uses it to unlock the file locally after downloading it.

Why the "#" is a Security Wall

The hash symbol acts as a firewall between the internet and your computer.

What the Server sees: GET /download.html?id=XH5-9K2-MPZ
What the Server DOES NOT see: #key=SECRET-KEY-123

This mechanism (Client-Side Encryption) guarantees that we cannot read your files even if we wanted to, because the key never leaves your device via the network request.

The Risk of the "Full Link"

While the technology is secure, sharing the full link creates a Human Risk. If you send the full link (ID + Key) via an insecure channel (like unencrypted email or Facebook Messenger), anyone who intercepts that link has everything they need to open the file.

Pro Tip: Separation of Channels For maximum security, do not send the full link in one message.

1. Send the Link (ID) via Email.
2. Send the Key via a secure messenger (Signal/WhatsApp) or SMS.

This is called "Out-of-Band" authentication. An attacker would need to hack both your email and your phone to get the file.

5. Safe Manual Pickup (The "Air Gap" Method)

The most effective defense against phishing is not software, but a change in behavior. Security experts use a technique called an "Air Gap"—disconnecting the source of the message from the execution environment.

In simple terms: Never let the email "drive" your browser. Take control manually.

The Manual Protocol (Step-by-Step)

If you receive a file transfer notification, do not click "Download". Instead, follow this procedure:

Open a clean tab: Press CTRL+T (or CMD+T) to open a fresh browser tab.
Navigate manually: Type send-file.online yourself.
(Do not search for it on Google—adverts can mimic real sites. Type the address directly.)
Select "Pick Up": Go to the Pick Up tab/page on our site.
Input credentials: Enter the Transfer ID (and Key) from the message manually.

Advanced Skill: Extracting Data from Suspicious Links

What if the sender only gave you a clickable link like http://suspicious-shortener.com/xyz? You can still safely retrieve the file without exposing yourself to the phishing site.

The Strategy: You treat the link as text, not as a button.

The Suspicious Link you received:

            https://fake-update-service.net/login?redirect=X8K-9P2-MPZ#key=SECRET-123
          
              1. Copy ONLY the ID: X8K-9P2-MPZ
            
              2. Copy ONLY the Key: SECRET-123

By copying only the ID and entering it on our verified website:

If the ID is fake: Our server will simply say "File not found". You are safe.
If the ID is real (but the link was a wrapper): You successfully downloaded the file while bypassing the attacker's phishing page.

Why this works A phishing site relies on you landing on their server to steal your data or run scripts. By taking the ID and bringing it to our server manually, you bypass their trap entirely.

6. File Safety & Malware (The Encryption Blindspot)

There is a dangerous misconception that "encrypted" means "safe". It does not. Encryption protects privacy, not safety. In fact, because we (the server) cannot see inside your encrypted file, we cannot scan it for viruses. You are the last line of defense.

The "Double Extension" Trick

Attackers know that you won't click on virus.exe. So they use a feature of Windows (which hides file extensions by default) to trick you. They name a file Invoice.pdf.exe.

Visual Simulation: What you see vs. What it is

Windows Default View:

📄 Invoice_2026.pdf

(The ".exe" is hidden!)

The Real Filename:

                Invoice_2026.pdf.exe
              

(It is a program, not a PDF)

High-Risk File Types (The "Do Not Click" List)

If you receive one of these files unexpectedly, delete it immediately. These are executable programs or scripts, not documents.

.EXE / .COM
Windows Application
.SCR
Screensaver (Executable)
.VBS / .JS / .BAT
Script Files
.MSI
Installer Package

The "Enable Macros" Trap

Attackers often send legitimate Office files (Word, Excel) that are empty or blurry, with a message saying: "To view this content, click 'Enable Content' or 'Enable Editing'."

STOP. Clicking that button allows the document to run code on your computer. A real invoice or contract should rarely require Macros to be readable.

Reality Check Because our service offers Zero-Knowledge Encryption, we technically cannot scan your encrypted files for viruses. The file is just random noise to us.

Once you download and decrypt it, it is 100% your responsibility to scan it with an updated antivirus before opening.

7. Safe Sharing Checklist (Operational Protocols)

Security is a two-way street. Even the strongest encryption fails if the sender acts recklessly or the recipient is careless. Adopting a strict "Sharing Protocol" significantly reduces the attack surface for both parties.

Protocol A: The Sender's Responsibilities

As the person initiating the transfer, you control the initial security posture.

1. Contextual Pre-notification Never send a "naked link" (a message containing only a URL). This triggers spam filters and looks suspicious.
Correct: "Hi Alice, here is the Project_Alpha_Budget.pdf we discussed on the call."
2. Channel Isolation (Out-of-Band) If using Encrypted Mode, never send the Link and the Key in the same message. If an attacker compromises your email, they get both.
Correct: Email the Link. Send the Key via Signal, SMS, or Slack.
3. Principle of Least Privilege Do not paste sensitive file links into public group chats (Discord, WhatsApp Groups) where dozens of people can see them. Send them via Direct Message (DM) only to the specific recipient.
4. Key Hygiene Do not reuse the same encryption key for different files or different recipients. Treat keys like one-time passwords (OTP).

Protocol B: The Recipient's Verification

As the receiver, you are the gatekeeper. You decide what runs on your computer.

1. The "Expectation Check" Did you expect this file? If your CEO sends you a file at 3 AM via WhatsApp without context, do not open it. Call them first.
2. Domain Verification Before entering any code, look at the address bar. Does it say send-file.online? If it says send-files-secure.net, close it immediately.
3. The "Sandbox" Rule If possible, save the file to your "Downloads" folder and scan it with Windows Defender (Right click -> Scan) before double-clicking to open it.
4. Verify via Second Channel If the email looks weird, ping the sender on Slack/Teams: "Hey, did you just send me a file?" This 5-second check saves companies millions of dollars.

8. Our Defense Architecture (What We Do)

We do not rely on a single lock to protect the door. Instead, we employ a strategy known in cybersecurity as Defense in Depth—multiple overlapping layers of security designed to protect your data even if one layer is challenged.

Layer 1: Transport Security ( The "Armored Tunnel" )

Before your file even leaves your computer, we secure the road it travels on.

Forced HTTPS (TLS): We do not allow unencrypted connections. Any attempt to connect via HTTP is automatically upgraded to HTTPS.
Strong Ciphers: We use modern TLS configurations to prevent "Man-in-the-Middle" attacks, ensuring that no one (not your ISP, not a hacker on public Wi-Fi) can intercept your data in transit.

Layer 2: Zero-Knowledge Architecture ( The "Blind Vault" )

When you use our Encrypted Mode, we shift from being a "Storage Provider" to a "Blind Storage Provider".

What this means for you:
We store your encrypted blobs, but we never store the keys. If a government agency or a hacker raided our servers, they would find only meaningless digital noise. We cannot give up what we do not have.

Layer 3: Data Minimization ( The "Toxic Asset" Theory )

In the security world, data is a "toxic asset"—the more you hold, the higher the risk. Our best security feature is our Deletion Policy.

Automatic Expiration: Files are programmatically nuked from existence after their retention period (1-7 days).
Download Limits: Once a file hits its download cap (e.g., 1 download), it is deleted instantly. This prevents unauthorized resharing.
No User Profiles: We don't store your password because you don't have an account. There is no database of users to be leaked.

Layer 4: Active Abuse Prevention

We actively fight against the misuse of our platform to keep the neighborhood clean.

Rate Limiting
We block bots that try to upload or download files too fast.
Community Reporting
Our "Report Abuse" channel allows rapid takedowns of malicious content.

Radical Transparency We publish guides like this one because Security through Obscurity fails. We want you to understand exactly how our system works, what it protects, and where its limits are.

9. The Limits of Technology (Shared Responsibility)

Security is a partnership. In the cybersecurity industry, we call this the Shared Responsibility Model. We are responsible for securing the infrastructure and the data in transit. You are responsible for securing your device and your digital identity.

Even the most advanced military-grade encryption cannot protect you against the following threats, because they happen outside of our systems:

1. The "Endpoint Compromise" (Spyware/Keyloggers)

Encryption works by scrambling data before it leaves your browser. But what if your browser itself is watched?

The Threat: If your computer is infected with a Keylogger or Spyware, the attacker sees exactly what you type (including your passwords and encryption keys) before it gets encrypted.

Defense: Keep your Operating System updated and use a reputable Antivirus.

2. "Upstream" Account Hacking

If you send a secure file link via email, and your email account is hacked, the attacker has the link.

The Threat: We cannot protect a link once it leaves our platform. If an attacker has access to your Gmail, Slack, or Facebook, they can read your sent messages and click your links.

Defense: Use Two-Factor Authentication (2FA) on all your communication accounts.

3. The "Evil Maid" (Physical Access)

Encryption keys are temporarily stored in your browser's memory while you are on the page.

The Threat: If you walk away from your computer while unlocked, someone can simply copy the URL or download the open file.

Defense: Always lock your screen (Win+L or Cmd+Ctrl+Q) when leaving your desk.

4. Social Engineering (The Human Factor)

This is the hardest vulnerability to patch. Attackers hack people, not computers.

⚠ Urgency: "Pay this invoice in 1 hour or we sue you." (Panic makes you click blindly).
⚠ Authority: "I am the CEO, do this now." (Fear makes you obey).

The Bottom Line We build the vault, but you hold the key. If you give the key to a stranger (or let a virus steal it), the vault cannot protect you. Stay vigilant.

10. Reporting Abuse & Community Standards

While we cannot technically inspect the contents of encrypted files, we maintain a Zero Tolerance Policy for abuse. We are a neutral technology provider, but we are not a safe haven for malicious actors.

We rely on our community to help us maintain a clean environment. If you encounter content that violates our terms, we are ready to act immediately within our technical capabilities.

What to Report

Malware & Phishing: Any file used to distribute viruses or steal credentials.
Copyright Infringement (Piracy): We respect intellectual property rights. If you are a rights holder, provide the specific link (URL) and we will process the takedown under DMCA.
Illegal Content: Violence, exploitation, or criminal material.

Our "Good Faith" Commitment

We want to be clear about our limitations and our willingness to help:

We are not omnipotent, but we are responsive.

Because of encryption, we cannot proactively "scan" every file. However, once a specific link is reported to us, we have the power to permanently delete it and block the uploader's IP address. We act in good faith to remove harmful content as fast as possible.

How to Submit a Report

Please provide the Transfer ID or the full URL. Without the link, we cannot locate the specific file in our system.

Email: Use the contact address listed on our Contact Page.
Response Time: We aim to process valid abuse reports within 24 hours.

Law Enforcement In cases of severe criminal activity, we cooperate with law enforcement agencies to preserve and provide available metadata (IP logs, timestamps) to aid investigations.