Shared File Scam

File sharing phishing emails are very common. This scam utilizes services such as Google Drive or Microsoft OneDrive to share a file with you. This file will have an important-sounding name, often involving payroll or employee benefits. The scammer will also use an account with an email address that sounds as if it might belong to the university's payroll team, HR department, and other administrative offices. The goal is to get you to click the link and open the file, then complete the tasks within. Read on to learn what these phishing emails look like, what is contained within the shared file, and how to avoid falling prey to one of these attacks!

(Click to enlarge)
File Sharing Poster

 

The Structure of the Email

File sharing emails can be especially tricky to recognize because they are often sent by a legitimate email address. When a file is shared through email using a Google or Microsoft service, the sender's email address is a generic no-reply address, not the email address associated with the account sharing the file.

Sometimes, the sender may be a compromised account. In this case, the message will come from a trusted account and will be difficult to recognize as a phish. However, there are a few things you can look for. Was the file shared at an unusual time? Were you expecting a file from this individual? Does it relate to your work in any way? If anything about the file seems suspicious, it may be malicious.

The email should contain the name of the file that has been shared with you. What does the title say? If it claims to be full of payroll or benefits information, were you expecting such a message? Were you contacted by the relevant department or organization before receiving this email?

Another important red flag in these phish is the account sending the file. Although the account may have the name of your supervisor or a trusted department, be sure to check the account's email address before clicking the link. Sometimes, the sender may be a compromised account. In this case, the message will come from a trusted @kent.edu account and will be difficult to recognize as a phish. However, there are a few things you can look for. Was the file shared at an unusual time? Were you expecting a file from this individual? Does it relate to your work in any way? If anything about the file seems suspicious, it may be malicious.

If you have any doubts about the email's authenticity, we are here to help! Forward the message to phish@kent.edu. We will respond with an analysis of the email and our recommended next steps for you to take.

 

What's Inside the File?

Image of a fish inside a stack of papers.

This scam is a bit more complex than most. The link to the file shared with you by the scammer may not be malicious, though you still should never risk clicking on a dangerous link. If the link is safe, it will lead to a Google Doc or Microsoft Word document with a message for you. This message may ask for your credentials, personal information, or banking information, and will contain another link or a QR code. This link contains the true danger.

The malicious link in the form (or QR code) will take you to a webpage set up by the scammer. This site may download malware onto your device as soon as you click its link. The site may also display a form or a fraudulent login screen that requests your information or credentials. Once this information is entered and submitted, it is sent directly to the scammer.

 

What if it's from DocuSign?

A variant of this scam features an email that appears to come from DocuSign, sent on behalf of a university office. These emails often contain malicious links or QR codes that lead directly to the malicious site.

These emails are easier to recognize as scams for one reason: Kent State no longer uses DocuSign for electronic signatures. If you receive an email from an individual claiming to represent a university office or department that asks you to use DocuSign, report the email to phish@kent.edu right away.

 

What Should I Do?

If you suspect your device has become infected with malware, disconnect it from the university's network and take it to the Tri-Towers Help Desk for inspection. Students and faculty should also reach out to the local support for their department.

If you fell victim to this scam, you will need to change your password immediately by logging into FlashLine, clicking “Settings,” clicking “Update Password,” and entering your current and new passwords when prompted.

If you provided your banking information to the scammer, you will need to contact your bank immediately and tell them all the information that the scammer now has access to.

The email itself can be reported to phish@kent.edu. You can find more information on how to report phishing emails here!

 

Phishing and Scams

Reporting Phish

Protect Yourself

School of Phish

© 2025 Kent State University All rights reserved.