At some point, you’ve likely encountered a file that just wouldn’t open. Perhaps someone made it with an app you don’t have. Or maybe you found a video that QuickTime won’t play.
You might have also experienced situations where someone needs a file from you in a specific format; they don’t accept Microsoft Word docs or HEIC images, but only accept PDFs or JPEGs.
When faced with such situations, you might turn to Google (or your preferred search engine) for help. Chances are that you’ll get a long list of sites that claim to be able to convert your file for you—or that offer you an app that will supposedly convert it. But how do you know whether these sites are safe?
There are many potential security and privacy concerns surrounding file converter sites. Let’s explore several reasons why you should exercise caution—and why you may not even need to use such sites after all.
In this article:
Last month, the FBI’s Denver Field Office issued a press release, warning “that agents are increasingly seeing a scam involving free online document converter tools.” In some cases, these sites offer Trojan horse downloads—malware, and even ransomware.
The FBI says that such sites may also “scrape the submitted files” to extract sensitive data; this may include social security numbers, dates of birth, telephone numbers, banking information, cryptocurrency seed phrases, e-mail addresses, and passwords.
If for some reason you’re skeptical of the FBI’s report, it has been corroborated by a noted threat intelligence researcher. In a thread on X, Will Thomas shared specific examples and screenshots of alleged file converter sites that had been used to distribute malware.
An FBI official told BleepingComputer that “paid results” appearing in search engines often lead to such scams. This comes as no surprise to our research team at Intego; we’ve been reporting for years that poisoned Google Ads, in particular, are a common source of malware.
But what if you think you’ve found a site that looks safe? Should you trust that site with your file?
Before uploading a file to any site, consider what data your file may contain. Are there any real people’s names or contact info? Are there any financial account details, or any other possibly sensitive or personally identifiable information within the file? If so, you probably shouldn’t send a copy of it to any unauthorized parties.
In some cases, you might not care whether others can view your file, for example if it’s a school assignment or a mundane report for work. However, it’s important to know that documents may also contain hidden metadata that you may want to keep private.
Microsoft Office documents contain hidden authorship metadata. Screenshot: Intego.
Consider, for example, that Microsoft Word, Excel, and PowerPoint documents typically contain the full, real name of the original author of a document, along with the name of their employer. That may not necessarily be information you want to share with an untrusted site—especially in combination with your work or home IP address, which is visible to every site you visit (unless you’re using a VPN; learn more about how VPNs can protect your privacy).
Also consider that photos taken on an iPhone or Android smartphone may contain hidden geolocation data—the GPS coordinates of where the picture was taken. This could inadvertently expose your home address to a file converter site.
Even if you’re pretty certain that there’s nothing sensitive in your file, there’s more to consider before uploading it to a file conversion service.
Some sites—especially shady ones—may not have a privacy policy. They may not even make any claims whatsoever about what they do with files submitted to their service. A privacy policy should answer questions such as the following.
Of course, even if a site does have a privacy policy, you should still exercise caution. Don’t assume that the site operator will actually comply with every claim in their privacy policy.
The geographical location of a server, or of the operator of a service, may also be worth considering. Some countries have laws or policies permitting the government to monitor all communications, or to compel a site owner to turn over all data that users submit to the site.
Perhaps—although it might seem conspiratorial—the site may even be operated by a foreign intelligence agency or someone acting on their behalf. What easier way is there to collect a broad swath of documents than to invite people to upload anything in exchange for some perceived benefit?
Alternatively, the site operator could be someone collecting data to sell on the black market. The location of the server and its operator are important here, too. Some countries turn a blind eye to cybercriminals who try to take advantage of foreigners. Even if you could prove that a site did something unethical with your data, that country’s law enforcement agencies may not be interested in punishing the site owner.
You can use a site like IPVoid’s Website Location Finder to help identify or confirm where a site’s server is hosted.
Macs actually come with several built-in ways to convert files from one format to another. Additionally, several popular third-party Mac apps can do still more conversions for free.
Apple’s iWork apps (Pages, Numbers, and Keynote) come free with Macs; you can re-download them from the App Store if you don’t have them in your Applications folder.
Since these apps are Apple’s equivalent to Microsoft Word, Excel, and PowerPoint, respectively, it’s no surprise that Apple lets you open and export to those formats. Each app also has its own unique export options:
Any Apple app that handles files will allow you to export to PDF. If you don’t see a menu option to Export as PDF, you can alternatively go to File > Print… and look for the “PDF” drop-down menu near the bottom-left corner of the print dialog.
Most common image file formats will open in Apple’s Preview app, which comes with every Mac. After opening a file, click on File > Export… and you’ll see a Format menu. From there, you can select HEIC, JPEG, JPEG-2000, OpenEXR, PDF, PNG, and TIFF.
If you find an image file that Preview won’t open, or if you need to export to another format besides those listed above, try GIMP instead. GIMP (short for GNU Image Manipulation Program) is a free, open-source app that’s similar to Adobe Photoshop. It offers a plethora of image import and export formats; it will most likely be able to handle any format you desire.
If you’re looking for a video file converter specifically because QuickTime Player won’t open a file, consider trying a different player app, like VLC, rather than a converter. VLC Media Player is a free, open-source multimedia player app that opens a wide variety of video and audio file formats. Via the File > Convert/Stream… menu option, it can even convert files into WEBM, TS, OGG, ASF, FLAC, and WAV (“CD”) formats.
But if you really need a video file format converter, Handbrake is likely your best option. Handbrake is a free, open-source video transcoder that can convert videos from “nearly any format.” It takes time (and a lot of CPU power) to convert large video files, but Handbrake works like a charm. It has a ton of advanced features and customization options for pros, too.
There are a handful of file converter sites run by well-known companies, such as the following:
Note that you may need to create an account to use these sites or some of their features. And remember: even though these are established businesses, it’s still a good idea to browse their privacy policy before you upload anything.
Even when you upload a file to a site with a good reputation, it’s wise to think carefully first.
For example, consider that even VirusTotal, a legitimate site for scanning individual files for malware, encourages caution when deciding whether to upload a file to its service. When you upload files to VirusTotal, antivirus companies and members of the security community may be able to download copies of those files. Users of the site sometimes inadvertently submit files that contain confidential or sensitive data. Thankfully, VirusTotal has a process to request removal of sensitive data, but many online services are not so aware or accommodating.
If you’re looking for file converters online, remember: just because a page is listed near the top of a search results page doesn’t mean that the site is legitimate or safe. Threat actors often buy Google Ads disguised as legitimate sites just to leap to the top of Google Search results. And malicious sites can even make it to the front page of search results through search-engine manipulation.
Ultimately, it’s up to you whether to trust a site with your files. Before uploading, think about the potential sensitivity of any info or metadata in the file, consider whether the site is reputable, and peruse their privacy policy.
We discussed the FBI’s report about file conversion scams on episode 388 of the Intego Mac Podcast.
For more information about a similar scam—file corruption sites—see our related article: “Are “corrupt my file” sites safe? Here’s why to avoid corrupt-a-file services”
Are “corrupt my file” sites safe? Here’s why to avoid corrupt-a-file services
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
