Dropbox scam and phishing protection

Sections in this article:

Malicious attackers and scammers often look for ways to steal email addresses, passwords, credit card details, and other sensitive information. The methods they use can be simple or sophisticated, which means you need to be careful about what you click or where you enter your email and passwords. Two of the most common methods to watch out for are phishing and malware.

What phishing looks like

Phishing is an attempt to trick you into providing sensitive information by pretending to be a person or service you trust (such as Dropbox or your bank). Examples of phishing attacks include:

  • Emails that ask you to reply with your username/email and password
  • Emails with links to fake login or password reset pages
  • Emails with links to view or download a file from someone you don’t know
  • Emails that mention a current event, entice you with a prize or deal, or pretend that there’s an urgent reason for you to respond or click on a link
  • Links on social network posts or comments that lead to fake login or password reset pages
  • Targeted attacks that appear like they’re from someone you know or include personal information to get you to respond or click a link

What malware looks like

Malware is any malicious software that attackers try to get you to install so that they can steal your information or do harm to your files and computer.

There are many types of malware, including keystroke loggers, spyware, ransomware, scareware, adware, trojan horses, and worms. Some sneaky malware can be installed just by visiting a website, viewing an email message, or clicking a pop-up window.

Unfortunately, because Dropbox is a trusted service, attackers will try to impersonate Dropbox with fake emails and websites. They may even try to use Dropbox itself to host a fake Dropbox site. Likewise, some attackers try to use Dropbox to host malware and send out shared links to it. See below for tips on how to stay safe.

Tips to stay protected from phishing and malware

  • Be careful about what you click, download, or install. Take a moment to check for warning signs and assess the risks before downloading a file or clicking a link.
  • If you don’t trust a link in an email, go directly to the normal login or home page for a service (for example, typing www.dropbox.com in the URL bar yourself). Contact the service or person you trust directly to verify that the message or link really came from them.
  • Use strong passwords and choose a different password for each service that you use.
  • Use two-step verification for Dropbox and other services that support it. Two-step verification protects your account even if your password falls into the wrong hands.
  • Enable browser security and privacy settings to block phishing, malware, and other malicious sites in Chrome, Internet Explorer, Safari, Firefox or your favorite browser.
  • Install the latest updates for operating systems, browsers, software, and applications as soon as they become available, as they may have important security updates.
  • Use anti-virus or other security tools to protect your devices.
  • If you use the Dropbox mobile app on your smartphone or tablet, set a passcode that will be required every time the app is launched.
  • Follow good security practices to protect your entire computer. It's a good idea to require a password to log in to your account and to resume from sleep, screensavers, and lock screens.
  • Report any suspicious items that appear to be from Dropbox or hosted on Dropbox by contacting us (see below for instructions). If you come across a phishing attempt that impersonates other services, contact the service or use the reporting feature in the app or website. You can also report malicious links to Safebrowsing or Internet Explorer for browser blocking. When you report something suspicious you’ll be protecting yourself and others.

How to tell if an email is from Dropbox

Be careful if you receive an email that claims to be from Dropbox but does not come from an official Dropbox domain (such as dropbox.com or dropboxmail.com). Email from a domain that's not on the official list may contain malware or be a phishing attempt.

To find out the domain an email came from, display the full headers of the message and look at the email address in the From field. Here are instructions for displaying the full headers in three of the most common email apps:


While viewing the message, click the down arrow next to the Reply button and select Show Original from the menu.

Yahoo Mail

While viewing the message, click the Full headers link in the lower-right corner of the message.

Microsoft Outlook

  • On Windows: Double-click the message to open it in a new window. Select the File tab and click Properties.
  • On Mac: Right-click (or Ctrl-click) the message and select View Source from the pop-up menu.
  • On the web: Double-click the message to open it in a new window. Click the Message Details icon (an envelope with a small document over it).

If you're using a different email app or the instructions above don't match what you see, check the app's help pages.

How to tell you're on an official, trusted Dropbox web page

Official Dropbox content will appear on any of our verified Dropbox domains.

How to stay safe with user-hosted content on Dropbox

Dropbox has a list of paths that are used to host content for users when they create links to their files and folders. Dropbox does not use these paths to ask you for private or personal information.

If you're not sure whether the link is from a person you trust, or if you're not sure whether the link goes to a regular, non-malicious file or folder, don't click on the link or download the file. Instead, contact the trusted person and ask if they sent you something. Or contact us (see below for instructions) and we'll investigate the link for you.

How to report something suspicious

Contact us at abuse@dropbox.com. We'll analyze what you've provided and take immediate action if we find a violation of the Dropbox Acceptable Use Policy, such as phishing, malware, or spam.

If you received an email

Forward the complete email to abuse@dropbox.com. Sending a screenshot or copying and pasting the message from the email won't provide as much information as the email itself. Please just forward the entire thing to us.

If you received or came across a shared link

Send an email to abuse@dropbox.com and include the following:

  • A description of how you received or found the link
  • The full URL of the link. It will look something like these examples:
    • https://dl.dropboxusercontent.com/s/aae4bc8tiqfajiv/Documents.zip?dl=1&token_hash=AAEypH2T8PyYqgLbfYkQYCh84_yqgMFTQWgXYgsT8eWsxA&expiry=140078586
    • https://dl.dropbox.com/u/89498758/FriendlyClient/Shop/setup.exe
    • https://dl-web.dropbox.com/s/n4rhqk0s87urp17/Report.zip?dl=1&token_hash=AAGjTBQh7cxJrJ2-Yud9Jy-ToE3YzAk63D1vTevtPVEkXg&expiry=1400822689

What to do if you've been tricked

If you've clicked a suspicious link or entered information in a suspicious place, take steps to make your Dropbox account as secure as possible:

  • Change your Dropbox account password, which you can do by going to the security page for your account (www.dropbox.com/account/security). Dropbox recommends strong passwords that are not used for any other website or service.
  • Change the password to the email address you use for your Dropbox account. Again, choose a strong password that you don't use for any other service (including Dropbox).
  • Enable two-step verification, which protects your account even if your password is compromised. Once enabled, Dropbox will require a six-digit code in addition to your password when signing in to the Dropbox website or linking a new device.
  • Review the latest apps and devices linked to your account (www.dropbox.com/account/security) and unlink anything that looks unfamiliar to you by clicking the "X" beside it.
  • Review your list of shared folders (www.dropbox.com/share) to make sure that the right folders are being shared and with the right people. Unshare any folders that you own but don't want shared.
  • Review any links to files in your account (www.dropbox.com/links). Disable any links you don't want to be active anymore.

If you're still worried about your Dropbox account, contact us and we'll do whatever we can to help.

Related articles

Does Dropbox offer phone tech support?

How helpful was this article?

We’re sorry to hear that.
Let us know how we can improve:

Thanks for your feedback!
Let us know how this article helped:

Thanks for your feedback!

Community answers