Q. Our firm uses ShareFile to send completed PDF-based tax returns to clients, and as a security measure, we set the ShareFile transfer to require clients to enter their name, company name, and email address to complete the tax return download. Our managing partner is not convinced this is secure enough. Can you help me convince her it is?
A. Your current approach for sending/receiving ShareFile documents does provide some level of security; however, your managing partner is correct—the method you describe does not provide the best possible ShareFile security. Here's why. Consider that all email messages (including the ones you send to your clients with links to ShareFile-encrypted tax returns) can be intercepted by bad actors, who then can simply click the ShareFile link to the encrypted files just as easily as the intended recipients—all the hacker needs is the recipient's email address, which is included in the email. (Note that even though ShareFile asks the recipient to enter his or her email address, name, and company to complete the download process, it turns out that only the email address is validated; the recipient's name and company name are not validated, and the hacker can simply enter any names he or she wishes.)
To use ShareFile in its most secure manner, you should check the box labeled Require recipients to log in for each ShareFile message you send (as pictured below).
Thereafter, recipients must be registered as users on your company's ShareFile account, and they must also log in to complete the download. This process is safer from potential hackers who may intercept email messages containing the ShareFile download links, because there is no way for those hackers to know the recipient's ShareFile login password. You can register your clients as users on your ShareFile account in two ways, as follows.
- Proactively register all clients. If you provide ShareFile with the first name, last name, and email address for all of your clients, then, for free, ShareFile representatives will send electronic invitations for them to register as users of your ShareFile account. Once they accept the invitation, clients will receive a subsequent email that enables them to complete the registration process and set up their unique ShareFile password (linked to your account and their email address) for communicating with you using the firm's ShareFile account.
- Register your clients as needed. As an alternative, you could also simply check the box labeled Require recipients to log in as you send your clients their tax files, in which case the recipients will be prompted to complete the registration process before proceeding to download their tax returns. When this method is used, as each client starts the registration process, you will receive a ping email notifying you of the client's intent to register as a user of the ShareFile account, and as you receive these ping emails, you will need to click the approval button for each notification email to approve this action before the client can complete the registration process and complete the tax return download.
With either option mentioned above, thereafter, your clients will be able to download future ShareFile documents simply by entering their ShareFile password when prompted. I applaud your managing partner; she is cautious and wise.
About the author
J. Carlton Collins (email@example.com) is a technology consultant, a CPE instructor, and a JofA contributing editor.
Note: Instructions for Microsoft Office in “Technology Q&A” refer to the 2007 through 2016 versions, unless otherwise specified.
Submit a question
Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to firstname.lastname@example.org. We regret being unable to individually answer all submitted questions.