DocuSign Phishing

What is phishing?

Phishing is a technique used by attackers to trick individuals into divulging personal information—like their login credentials—or launching malware to steal broader sets of personal data stored on their computers or connected networks.

A phishing email typically looks like a valid email from a trusted source, duping recipients into opening the email and clicking on enclosed attachments or links.

It’s estimated that 4% of people will click on an attachment or link in a phishing email.

First and foremost, if you don’t recognize the sender of a DocuSign envelope and you’re uncertain of the email’s authenticity, look for the unique security code included in all DocuSign envelopes at the bottom of the notification email. If you don’t see this code, don’t click on any links or open any attachments within the email.

To make it easier to report suspicious activities, DocuSign has dedicated reporting channels based on the type of threat:

  • DocuSign-themed fraudulent emails and websites: if you think that you’ve received a fraudulent email purporting to come from DocuSign, forward the entire email as an attachment to spam@docusign.com and delete it immediately. [Flagging as junk may be preferred. -rws]

https://www.docusign.com/sites/default/files/docusign_combating_phishing_whitepaper.pdf

Don’t get phished

Tips for foiling attackers

A few simple techniques can help you spot the difference between a spoof DocuSign email and the real thing:

–  Hover over all embedded links: URLs to view or sign DocuSign documents contain “docusign.net” and always start with “https”

–  Access your documents directly from docusign.com by entering the unique security code found at the bottom of every DocuSign email

–  Don’t open unknown or suspicious attachments, or click links—DocuSign will never ask you to open a PDF, office document or zip file in an email

–  Look for misspellings, poor grammar, generic greetings, a false sense of urgency and/or a demand

– Enable multi-factor authentication where possible

– Use strong, unique passwords for each service— don’t reuse passwords across multiple websites

– Ensure your anti-virus software is up to date and all application patches are installed

– Contact the sender offline to verify the email’s authenticity, if you’re still suspicious

– Report suspicious DocuSign emails to your internal IT/Security team and forward to spam@docusign.com

Take the quiz:
https://www.isitzen.com/help/2019/1/phishing-quiz

R.W. Sanders