How to Avoid Shady Online File Converters
The Real Risks Behind That 'Free' Converter
Not every file converter that ranks on the first page of Google deserves your trust — or your files. In 2023, researchers at the cybersecurity firm ReasonLabs identified a wave of malicious converter sites that bundled DNS hijackers and credential stealers into downloaded output files. The FBI's Internet Crime Complaint Center issued a public advisory about it. These weren't obscure sites buried in search results; some had millions of monthly visitors and polished UIs. The threat model is straightforward: you upload a sensitive PDF, a financial spreadsheet, or a contract. The site processes it on a server you know nothing about, stores it indefinitely, and may sell or expose the content. Some sites go further and inject malware into the converted file itself. Others harvest email addresses entered during 'free account' signups and sell them to spam networks. The warning signs are consistent across bad actors: no visible privacy policy, no clear statement about file retention periods, no company address or legal entity name, and SSL certificates that are present (because they're free from Let's Encrypt) but tell you nothing about who operates the site. A padlock icon means the connection is encrypted — it says nothing about what happens to your data once it arrives. Before you upload anything, spend 90 seconds checking three things: who owns the domain (a WHOIS lookup on lookup.icann.org takes 30 seconds), whether the site has a published data retention policy you can actually read, and whether there's a real company name you can search independently. If any of those checks fail, close the tab.
What Legitimate Services Actually Look Like
Legitimate file conversion services share a set of verifiable characteristics that go beyond good design. The first is transparency about infrastructure: reputable services name the cloud providers they use (AWS, Google Cloud, Azure) and specify where data is processed geographically. This matters for GDPR compliance if you're in Europe, and for HIPAA considerations if you're handling health-adjacent documents. The second marker is a clear, specific file retention policy — not vague language like 'we delete files promptly,' but a stated number. CocoConvert, for example, deletes uploaded and converted files from its servers within one hour of conversion completion. Smallpdf states 60-minute deletion for non-account users. CloudConvert offers configurable retention with immediate deletion available. When a service won't give you a specific number, that's a red flag. Third, look for a published security page or trust center. This doesn't need to be a 40-page SOC 2 audit report, but it should describe encryption in transit (TLS 1.2 or higher), encryption at rest, and access controls on stored files. If a site's entire 'security' disclosure is one sentence in the footer, treat it accordingly. Fourth, check whether the service requires account creation to convert files. Many shady sites make signup mandatory specifically to harvest email addresses. CocoConvert and a handful of others allow guest conversion without any account. That said, account-free conversion typically means fewer features and lower file size limits — a trade-off worth understanding before you start. Finally, check for an API. A service with a documented, publicly available API has developers and businesses depending on it. That accountability tends to correlate with operational seriousness. It's not a guarantee, but a site with no API, no company page, and no named team is almost certainly running on thin margins with minimal investment in security.
How CocoConvert Compares to the Major Players
Honest comparisons require looking at concrete specs rather than marketing language. Here's how CocoConvert stacks up against the three converters you're most likely to encounter: Smallpdf, CloudConvert, and ILovePDF. **Free tier limits:** CocoConvert's free tier allows up to 5 conversions per day with a 100 MB per-file cap, no account required. Smallpdf's free tier is 2 tasks per day with a 5 GB file size limit but requires account creation after the first use. CloudConvert gives you 25 free conversion minutes per day (account required), which sounds generous but runs out quickly on large batches. ILovePDF allows unlimited conversions on its free tier but caps file sizes at 100 MB and displays advertising throughout. **Format support:** CloudConvert is the clear leader here — it supports over 200 formats including niche ones like DXF, INDD, and various audio/video containers. CocoConvert covers the most common document, image, and spreadsheet formats (roughly 60 formats), which handles the vast majority of everyday use cases but won't help you if you need to convert a Final Cut Pro project or a Steinberg audio file. Smallpdf is document-focused and doesn't venture much into image or media formats. ILovePDF is PDF-centric almost exclusively. **Pricing:** CocoConvert's paid plan starts at $8/month for unlimited conversions and 500 MB file size. Smallpdf Pro is $12/month. CloudConvert pricing is consumption-based at roughly $0.0083 per conversion minute, which can become expensive for heavy users but is economical for occasional large-file work. ILovePDF Premium is $6/month but is limited to PDF operations. **API availability:** CloudConvert has the most mature API with extensive documentation and SDKs for Node.js, PHP, Python, and Java. CocoConvert offers a REST API on paid plans with straightforward JSON responses — adequate for most integration needs but less feature-rich than CloudConvert's offering. Smallpdf has an API but it's priced separately and aimed at enterprise customers. ILovePDF has an API but documentation is sparse. **Signup requirements:** CocoConvert and ILovePDF both allow conversion without an account. Smallpdf and CloudConvert require accounts for sustained use.
Specific Settings and Behaviors to Check Before You Upload
Once you've identified a service that passes the basic legitimacy checks, there are specific behaviors worth verifying before you upload anything sensitive. **Check the network tab.** In Chrome or Firefox, open Developer Tools (F12), go to the Network tab, and watch what happens when you land on the converter page. Legitimate services load resources from their own domain and maybe a CDN. If you see requests firing to a dozen third-party ad networks, data brokers, or analytics platforms you don't recognize, your file upload may be tracked and associated with your browsing profile in ways the privacy policy doesn't clearly disclose. **Read the actual privacy policy URL.** Not the summary — the full document. Search the page (Ctrl+F) for the words 'sell,' 'share,' 'third party,' and 'retain.' Pay attention to what the policy says about file content specifically, not just account data. Some policies are careful to protect account information while being completely silent on the content of uploaded files. **Test with a dummy file first.** Before uploading a real contract or financial document, convert a dummy file of the same type and size. This tells you whether the output quality is acceptable and whether the site behaves normally — no unexpected redirects, no download prompts that are actually executable files, no browser notifications that require permission before the download starts. **Verify the download.** On Windows, right-click the downloaded file and check Properties > Details for the file description and origin. On macOS, use Get Info (Cmd+I) to check the 'Where from' metadata. A PDF should have a PDF header; if your antivirus flags it or the file type doesn't match what was advertised, delete it immediately and report the site to Google's Safe Browsing report form at safebrowsing.google.com/safebrowsing/report_phish. **For recurring use, prefer services with audit logs.** If you're converting files for business purposes, choose a service that logs conversion activity to your account. CocoConvert, CloudConvert, and Smallpdf all provide conversion history in account dashboards. This matters if you ever need to demonstrate compliance or trace when a document was processed.
When Free Isn't Worth It: Paid Plans and What They Actually Buy You
The economics of free file conversion are worth understanding clearly. Running server infrastructure, maintaining format libraries, and paying for bandwidth is not free. When a service offers unlimited free conversions with no obvious business model, the product is almost certainly you — your data, your email, your browsing behavior, or some combination. Paid plans from reputable services buy you several concrete things beyond just higher limits. The most important is a contractual relationship. When you pay for a service, you have a terms of service agreement that creates legal obligations on the provider's side. Free users typically have no such recourse. If a paid service mishandles your data, you have standing to pursue remedies; free users generally do not. For CocoConvert, the $8/month paid plan removes the 5-conversion daily cap, raises the file size limit to 500 MB, enables API access, and provides priority processing (conversions typically complete in under 10 seconds rather than the 30-45 seconds sometimes experienced on the free tier during peak hours). It also enables batch conversion of up to 50 files simultaneously, which is genuinely useful for anyone processing document archives. For CloudConvert, paying makes sense if you need obscure format support or have a developer use case. Their API is the best in the category, and for a team running automated document pipelines, the per-minute pricing model can actually be cheaper than flat subscriptions if usage is irregular. Smallpdf Pro at $12/month is the right choice if your work is almost entirely PDF-centric — editing, signing, compressing, and converting PDFs. Their PDF toolset is more comprehensive than any of the others. But if you regularly work with image formats, spreadsheets, or anything outside the PDF ecosystem, Smallpdf will frustrate you. The honest bottom line: if you're converting files more than a few times per week for work, a paid plan from any of the legitimate services is worth the cost. The privacy exposure and time wasted dealing with ad-heavy interfaces on free tiers has a real cost too.
Red Flags That Should Make You Walk Away Immediately
Some behaviors are disqualifying regardless of how polished a site looks. Here's a specific list to keep handy. **The download button is an ad.** Some converter sites place a fake 'Download' button that triggers an ad click or a software installer download, while the real download link is smaller and harder to find. If you click 'Download' and get a .exe or .dmg file when you asked for a PDF, leave immediately. **The site asks for browser notification permission before conversion.** There is no legitimate reason a file converter needs push notification access. This is a standard technique for building spam notification lists. **The output file is larger than the input.** A converted PDF should generally be similar in size or smaller than the source document. If a 200 KB Word document converts to a 4 MB PDF, the output file may contain injected content. Verify with a tool like PDF-XChange Viewer's Document Properties panel before opening it. **The privacy policy is a template with placeholder text.** Search for strings like '[Company Name]' or 'INSERT DATE HERE' — these appear more often than you'd expect and indicate the operator copied a generic policy without completing it. **The site domain was registered within the last 12 months and has no social media presence.** Use the ICANN WHOIS lookup to check registration date. Fly-by-night converter sites are often stood up quickly, run for months harvesting data, and then disappear. A site with a 2024 registration date, no LinkedIn presence, and no named team members warrants serious skepticism. **You're asked to install a desktop app to complete the conversion.** Web-based converters don't require local software installation. Any prompt to install a browser extension or desktop application to 'enable' conversion is a social engineering attempt.
When to Pick Which Service: Honest Recommendations
Based on the concrete differences outlined above, here's straightforward guidance on when to use each service. **Pick CocoConvert if:** You need quick, no-account conversion of common document and image formats, you want a clean interface without advertising, you convert files a few times per week and the free tier's 5-daily-conversion limit is sufficient, or you want a simple REST API for a lightweight integration project. CocoConvert is not the right choice for video format conversion, highly specialized formats, or enterprise-scale API usage requiring advanced job queuing. **Pick CloudConvert if:** You need to convert obscure or specialized formats, you're building a serious application that depends on a mature API with official SDK support, or your usage pattern is irregular enough that per-minute pricing beats a flat subscription. CloudConvert is overkill for casual users and the account requirement is a minor friction point. **Pick Smallpdf if:** Your work is almost entirely PDF-focused — you're compressing, signing, merging, splitting, or converting documents to and from PDF daily. Their PDF toolset is genuinely the most complete available in a web interface. Don't use Smallpdf if you regularly work with image batch processing or non-PDF formats. **Pick ILovePDF if:** You need unlimited free PDF operations and can tolerate advertising, you don't have sensitive documents, and Smallpdf's 2-task daily free limit is too restrictive for your budget. ILovePDF is a reasonable free option for low-stakes PDF work. **Avoid any service that:** Has no stated file retention policy, requires browser notification permission, has a domain registered less than a year ago with no verifiable company identity, or prompts you to install software to complete a conversion. The few minutes spent on due diligence before uploading a sensitive file are worth considerably more than the time saved by using the first result in a search.