Your best friend for file transfer.Fetch
Each SFTP server has a unique identifier, known as an SSH host key, that enables secure transfers. When you connect to an SFTP server, Fetch stores the server's host key for future use. When you later connect to the same server again, Fetch verifies that the server is using the same host key, thus ensuring that you are not inadvertently connecting to a different server (for example, one that's impersonating the server you intend to connect to).
If you connect to an SFTP server, and its host key differs from what it was the previous time you connected to the same server, you will be warned that "Fetch can't verify the identity of the server". This might mean that someone is trying to maliciously impersonate the server, but it could also simply mean that the server administrator has changed the server's host key. You should contact the server administrator to find out whether it is safe to connect to the server if you get this warning.
By default, Fetch does not warn you the first time you connect to an SFTP server. This allows someone to impersonate an SFTP server you use, as long as they do it before the first time you connect. To guard against this possibility, you can check the SFTP: Ask before accepting unknown host keys preference in the Security Preferences pane.
If you check this preference, you will receive the "Fetch can't verify the identity of the server" warning the first time you connect to a new SFTP server. In this case, you should also contact the server administrator to verify the server's host key before connecting.