Beware the Fake WeTransfer “Transfer Expired” Emails [Scam Exposed]

The WeTransfer Received Transfer Expired scam is one of the latest phishing campaigns targeting professionals, freelancers, and businesses that regularly exchange files online. The message looks nearly identical to a legitimate WeTransfer notification and claims that a file you were expecting has “expired” but can still be recovered. This creates a sense of urgency that pushes victims to click.

What happens next is far more dangerous than losing a file. Attackers use these fake recovery pages to steal email logins, business credentials, and in some cases deploy malware. If you’ve received one of these messages, you’re not alone. This guide breaks down exactly what this scam is, how it works, and what to do if you interacted with it.

Scam Overview

The WeTransfer Received Transfer Expired scam is a phishing operation designed to mimic WeTransfer’s email style and branding. The scam’s purpose is to steal login credentials by tricking users into thinking they are restoring an expired file transfer. Because WeTransfer is widely used in creative industries, marketing agencies, corporate environments, and personal file sharing, this scam can spread quickly and cause significant harm.

What the Fake Email Looks Like

The phishing message typically includes:

• A subject line such as “The transfer you received expired, but you can still recover it!”
• The WeTransfer logo at the top
• A short paragraph claiming that the transfer has expired
• A button labeled “Recover Your Transfer Now”
• A generic greeting such as “Dear user” or a blurred-out name
• A threatening line such as “Recover it now or it will be permanently deleted”

Everything is crafted to look extremely similar to WeTransfer’s normal style. Attackers use identical colors, spacing, and even copy WeTransfer’s wording. Most victims never notice that something is wrong until after they click.

Why This Scam Is Effective

The attackers rely on psychology:

• Urgency: Users think they only have a limited amount of time.
• Expectation: Many people are regularly waiting for files.
• Familiar branding: The email copy looks professional.
• Curiosity: Even if you were not expecting a file, you may wonder who tried to send you something.

Scam emails that imitate well-known services (Dropbox, Google Drive, Microsoft OneDrive, DocuSign) have a high success rate. Adding the “expired file” angle increases the chance that victims will click without thinking.

What Happens When You Click

The button in the email does not lead to WeTransfer. Instead, it leads to:

1. A forged WeTransfer login page hosted on a random domain.
2. A compromised website that attackers are using as a redirect.
3. A page that loads malware automatically.

Once credentials are entered, the victim is quietly redirected to a harmless WeTransfer page or to an error message. This makes it appear as though nothing suspicious happened. Meanwhile, the attackers now have the victim’s login information.

What Attackers Do With the Stolen Credentials

Cybercriminals may:

• Access your email inbox
• Steal sensitive attachments
• Forward phishing emails to your contacts
• Log into cloud storage accounts
• Reset passwords for banking or financial services
• Commit identity theft
• Sell the credentials on dark web markets

Because the scam often targets corporate accounts, attackers can sometimes access internal systems, shared drives, or HR documents. That makes this phishing campaign particularly harmful for businesses.

Additional Red Flags in These Messages

Although the scam looks convincing, there are clues:

• The sender email is never a genuine @wetransfer.com address
• The greeting is generic or uses your email address instead of your name
• The email includes unusual spacing or odd punctuation
• The button URL does not belong to WeTransfer
• The message claims you can “recover” an expired file (WeTransfer does not offer this feature)

WeTransfer does not provide recovery options for expired transfers. Once a file expires, the sender must re-upload and resend it. Any message that claims otherwise is automatically fraudulent.

How the Scam Works

Understanding the full sequence helps you recognize similar scams and prevent future attacks. This section goes through the entire operation from start to finish.

Step 1: Attackers Send a Fake Expired Transfer Notification

The attack begins with a phishing email sent to thousands of recipients. The scammer:

• Spoofs the display name to look like WeTransfer
• Injects WeTransfer’s logo and formatting
• Uses text that resembles real email notifications

Because WeTransfer is a common service, most recipients will assume the message is legitimate.

Step 2: The Recipient Sees a High-Urgency Message

The scam email emphasizes urgency. Phrases like:

• “Recover it now before it is permanently deleted”
• “You are running out of time”
• “Immediate action required”

Victims believe they will lose important files unless they click quickly.

Step 3: The Victim Clicks “Recover Your Transfer Now”

Users click the button expecting to restore a file. The URL they are taken to is usually:

• A hacked WordPress site
• A newly registered domain
• A domain with random characters
• A site hosted on shared hosting providers

It is rarely an official WeTransfer domain.

Step 4: The Fake WeTransfer Login Page Loads

The victim sees a login page that looks identical to the real one. The scammers:

• Copy WeTransfer’s design
• Steal the exact fonts and spacing
• Use the same blue color scheme
• Add a fake login box that sends data to the attacker’s server

Some pages even include fake cookie banners or privacy notices.

Step 5: Victims Enter Their Email Address and Password

Once the victim submits credentials, the attackers immediately receive them. Many victims assume everything is normal because the fake site then does one of the following:

• Redirects to the real WeTransfer homepage
• Shows a simple “Transfer cannot be recovered” message
• Shows a loading spinner
• Produces a fake generic error

This is done deliberately. It prevents suspicion and keeps the victim from realizing their data was stolen.

Step 6: Attackers Access the Victim’s Email Account

With the login credentials:

• They enter the victim’s inbox
• They search for financial documents, invoices, and personal information
• They forward more phishing messages to the victim’s contacts
• They set up email forwarding rules to hide their activity

Forwarding rules are used to capture future password reset messages.

Step 7: Attackers Pivot to Other Accounts

Once scammers gain access to your email, they can attempt:

• Cloud storage login
• Social network access
• Banking account password resets
• Business system access
• PayPal or payment platform resets
• E-commerce account takeovers

This is why email account security is critical. A compromised email often leads to multiple compromised accounts.

Step 8: Stolen Credentials Are Sold or Used in Cybercrime

The stolen login information may be:

• Sold on forums on the dark web
• Used to commit identity theft
• Used for BEC (Business Email Compromise) attacks
• Used to steal money from victims
• Added to massive credential-stuffing databases

Some attackers immediately lock victims out by changing passwords. Others stay hidden and monitor the inbox silently.

Step 9: Victims Usually Realize Too Late

By the time most victims notice something is wrong, attackers already:

• Downloaded private files
• Sent phishing emails to coworkers
• Changed forwarding rules
• Logged in from foreign IP addresses
• Exported stored passwords (if the victim uses browser-based saving)

This is why understanding this scam and knowing the warning signs is essential.

What to Do If You Have Fallen Victim to This Scam

If you clicked the link, entered your credentials, or interacted with the scam, take action immediately. The faster you respond, the more damage you can prevent.

1. Change Your Email Password Immediately

Log into your email account from a clean device and change your password to a strong, unique one. Avoid reusing passwords across accounts.

2. Enable Two-Factor Authentication (2FA)

Turn on 2FA using an authenticator app, not SMS if possible. This helps prevent attackers from logging in even if they have your password.

3. Check for Unauthorized Logins

Review your login history or security dashboard. Look for:

• Logins from unknown devices
• Unusual IP addresses
• Foreign locations

If you see anything suspicious, log those sessions out immediately.

4. Remove Malicious Forwarding Rules

Scammers often create forwarding rules such as:

• Forward all emails to a hidden external address
• Forward emails containing “password” or “reset”
• Auto-delete certain messages

Remove these rules from:

• Gmail Settings > Filters and Blocked Addresses
• Outlook Settings > Mail > Rules
• Yahoo Settings > Filters

5. Check for Password Resets Across All Accounts

If scammers had access to your inbox, they may have triggered resets. Check accounts such as:

• PayPal
• Amazon
• Apple ID
• Google Drive
• Dropbox
• Banking apps
• Social networks
• Business platforms

Change passwords wherever necessary.

6. Warn Your Contacts

If attackers accessed your email, they may send messages pretending to be you. Notify:

• Coworkers
• Clients
• Friends
• Family

Tell them to ignore suspicious messages.

7. Run a Full Antivirus Scan

Use a trustworthy security application to scan for:

• Malware
• Spyware
• Keyloggers
• Browser hijackers

This is important if you clicked suspicious links.

8. Check Your Sent Folder

Look for messages you did not send. Attackers often forward phishing to your contacts to continue the cycle.

9. Contact Your IT or Security Team (If Applicable)

If your email is part of a company domain, you must inform your IT department. They will:

• Reset system-wide access
• Check audit logs
• Prevent further compromise

10. Report the Scam

Report the phishing email to:

• WeTransfer (support@wetransfer.com)
• Your email provider
• Your organization’s security team
• Anti-phishing reporting services

This helps prevent additional victims.

Is Your Device Infected? Scan for Malware

If your computer or phone is slow, showing unwanted pop-ups, or acting strangely, malware could be the cause. Running a scan with Malwarebytes Anti-Malware Free is one of the most reliable ways to detect and remove harmful software. The free version can identify and clean common infections such as adware, browser hijackers, trojans, and other unwanted programs.

Malwarebytes works on Windows, Mac, and Android devices. Choose your operating system below and follow the steps to scan your device and remove any malware that might be slowing it down.

After cleaning your device, it’s important to protect it from future infections and annoying pop-ups. We recommend installing an ad blocker such as AdGuard. AdGuard blocks malicious ads, prevents phishing attempts, and stops dangerous redirects, helping you stay safe while browsing online.

The Bottom Line

The WeTransfer Received Transfer Expired scam is a sophisticated phishing operation that uses urgency, brand impersonation, and psychological manipulation to trick victims into entering their email credentials. Once attackers gain access, they can steal sensitive files, compromise additional accounts, and spread the scam further.

Although the email looks convincing, the promise of “recovering” an expired transfer is fake. WeTransfer does not allow expired files to be restored. This alone is a major red flag.

If you interacted with one of these messages, take action immediately. Change your passwords, enable two-factor authentication, remove malicious forwarding rules, check for unauthorized logins, and notify your contacts. The sooner you respond, the better your chances of preventing further damage.

FAQ

What is the WeTransfer Received Transfer Expired scam?

This scam is a phishing campaign designed to imitate a legitimate WeTransfer email. Victims receive a message claiming that a file transfer has expired but can still be recovered. The email contains a fake “Recover Your Transfer” button that redirects users to a fraudulent login page. Once victims enter their credentials, attackers gain access to their email accounts and potentially other linked services.

How can I tell if a WeTransfer email is fake?

Fake WeTransfer emails often contain small but important red flags. These include incorrect sender addresses, unusual domains in the link, generic greetings such as “Dear user,” poor grammar, suspicious urgency, or claims that expired files can be recovered. WeTransfer does not allow expired transfers to be restored. If an email suggests otherwise, it is fraudulent.

What happens if I click the “Recover Your Transfer Now” button?

Clicking the button usually leads to a phishing page disguised as a WeTransfer login portal. While the page looks identical to the real one, it sends your login credentials directly to the attackers. After entering your details, you might be redirected to a real WeTransfer page or shown an error message to avoid suspicion, but the damage is already done.

What do scammers do with stolen credentials?

Once scammers obtain your email and password, they may access your inbox, steal sensitive files, reset passwords for connected accounts, use your identity to scam others, or sell your credentials on dark web forums. Some attackers set up email forwarding rules to intercept communication without being detected.

Is it possible to recover an expired WeTransfer file?

No. WeTransfer does not offer any method to restore expired files. The sender must upload the files again and resend the transfer. Any email claiming that expired files can be recovered is automatically suspicious and fraudulent.

Does the scam only target WeTransfer users?

No. The scam targets anyone who uses email. Even if you do not use WeTransfer, the attackers rely on curiosity or confusion to encourage you to click. Many people receive shared files regularly, so the message can appear relevant even if you were not expecting anything.

How dangerous is this scam for businesses?

This scam can be particularly harmful to businesses because email accounts often serve as gateways to internal systems, shared drives, cloud storage, and communication tools. If an employee’s email is compromised, attackers may launch Business Email Compromise (BEC) attacks, send fraudulent invoices, impersonate staff, or steal confidential documents.

What should I do immediately after realizing I was scammed?

You should change your email password right away, enable two-factor authentication, review your account’s recent login activity, remove suspicious forwarding rules, and check for unauthorized access to other connected accounts. Running a security scan and notifying your contacts or IT team is also recommended.

How can I prevent falling victim to similar phishing emails?

Always verify the sender’s email address, inspect links by hovering over them, avoid clicking buttons in unexpected messages, and enable multi-factor authentication on all your accounts. Most importantly, remember that expired WeTransfer files cannot be recovered. When in doubt, log directly into the service instead of using email links.