Assembly Strategies
← All Insights
Insights · Security

Free File Converters Are a Cybersecurity Threat

By Andrew Loposser · Founder, Assembly Strategies · March 2025

You're on the trail, someone sends you a PDF you need as a PNG, and you Google "free file converter." Stop. That ten-second shortcut can hand an attacker the keys to your campaign.

The warning

The FBI's Denver Field Office issued a public warning about a surge of scam sites masquerading as file converters. They promise a quick conversion, and many actually deliver it, while quietly installing malware, ransomware, adware, or information-stealing tools that grab passwords, financial credentials, and Social Security numbers. The fact that the site looks legit, or "worked last time," is exactly the trap.

Why campaigns are a prime target

Campaigns handle huge volumes of personally identifiable information: volunteer lists, donor data, internal passwords, and voter contact files. A single infected laptop can compromise the whole operation, especially in a fast-moving environment where files get shared widely and security habits vary from staffer to staffer. The risks are serious: ransomware that freezes operations, credential theft, session hijacking that can bypass multi-factor authentication, and long-term surveillance of internal activity.

What to use instead

There's no excuse for the shortcut when safe tools are already on every device:

  • Adobe Acrobat Pro for local, offline conversion to and from PDF.
  • Microsoft Word and Google Docs, which both export to PDF natively.
  • Preview (Mac) and Print to PDF (Windows) for quick, secure basics.
  • Google Drive or Dropbox, which offer trusted built-in conversions with no sketchy downloads.

Have your digital team set up one centralized, licensed conversion process. If you're unsure whether a tool is safe, assume it isn't.

Build it into your culture

Security is a habit, not a one-time memo. Train every staffer, intern, and volunteer that free online converters are off-limits. Keep active anti-malware on all campaign devices, use a browser content blocker, and keep document handling inside a shared, protected system.

If you think you've been hit

  1. Stop using the affected device immediately.
  2. Contact your financial institutions to secure any linked accounts.
  3. Change all passwords, ideally from a clean device.
  4. Run a full anti-malware scan with a trusted program.
  5. Report the incident to the FBI's Internet Crime Complaint Center at IC3.gov.

Campaigns run on urgency, but digital security is foundational, not optional. Don't trade a ten-second conversion for a full-blown data breach.

Want your campaign locked down from day one?

We build the systems and the habits that keep your data, and your reputation, safe. Let's talk.

Start a Campaign →

Adapted from Andrew Loposser's newsletter, The Political Playbook (March 2025).