Phishing

Phishing is one of the most common and effective tactics used by attackers to gain access to your accounts.
A phishing message may look legitimate, appear to come from someone you know, and create a sense of urgency to get you to act quickly.

With advances in artificial intelligence, these attacks continue to evolve and become more sophisticated, making them harder to identify.

Social engineering attacks

Phishing is part of a broader category of social engineering attacks. In social engineering attacks, criminals use deception to trick people into sharing information, clicking links, or downloading malicious content.

Phishing: Fraudulent emails that try to steal your information or credentials.
Smishing: Text messages designed to look like legitimate requests.
Vishing: Phone calls or voicemail scams impersonating trusted organizations.
Executive impersonation: Messages pretending to be from company leaders, often requesting urgent payments or confidential data.

These tactics often overlap. For example, a phishing email might direct you to call a number, combining phishing and vishing. Each of these can lead to account takeover (ATO), in which attackers use stolen credentials to impersonate you, access data or access more deeply into systems.

Spotting a phish

Keep these warning signs in mind before responding to emails or clicking on links or attachments:

Unknown sender: Be cautious of emails from people or domains you don’t recognize.
Mismatched addresses: Check both the “From” and “Reply-To” fields for inconsistencies.
External email warnings: Many organizations flag messages that come from outside their network. These messages are more likely to come from untrusted or unknown sources, so take a moment to verify the sender before engaging.
Urgent or unusual requests: Messages that pressure you to act quickly or bypass normal procedures.
Suspicious links or attachments: Hover over links before clicking to confirm they lead to legitimate websites. Avoid downloading unexpected attachments.
Generic greetings or poor grammar: Unusual tone, spelling errors, or missing personalization can indicate a scam.

If something doesn’t look right, trust your instincts. Whenever possible, navigate to trusted websites directly by typing the known address into your browser, using a saved bookmark, or opening the official app.

If you receive a call claiming to be from an organization, but the call seems suspicious, hang up and call back using a verified number from the organization's official website.

Protecting your accounts

You can take immediate practical steps to help protect your accounts from phishing attacks.

Use authenticator apps or security keys instead of SMS-based MFA.
Never share credentials or sensitive data through email, text, or phone. Legitimate organizations never ask you to do so.
Create strong, unique passwords and store them securely in a password manager.
Keep your devices and apps updated to protect against known vulnerabilities.

If you suspect a phish

Report suspected phishes right away. Whether at work or in your personal life, alerting your security team or email provider helps prevent others from being targeted.

If you've already clicked a suspicious link or shared credentials, change your password immediately and contact your security team or Box Support.

Reporting suspicious files to Box

If a file appears to be a phishing attempt, you can report the file to the Box Security team for further review.

To report suspicious files to Box Security:

Login to your Box account.
Preview the file.
At the top of the Preview page, click the ellipsis (“…”).
Select Report Abuse.
Box displays a prompt where you can provide additional context.

A shared responsibility

Cyber threats evolve constantly, and vigilance remains the best defense. Taking a moment to verify before you click can prevent account compromise and protect sensitive information. By staying alert, you help keep yourself, your company and the wider Box community secure.