In today’s SensCy Cyber Brief, your SensCy cybersecurity team is investigating how cybercriminals use fake DocuSign emails as part of their arsenal of phishing tools. In this brief we review their methods and provide recommendations on how to spot a DocuSign Phishing email.
Cyber threat actors commonly use well-known known brands to get you to click on a link and provide credentials. Companies like FedEx, Amazon, DHL, Microsoft are amongst the most used, but recently SensCy has observed an increase in phishing email involving DocuSign, a service that allows you to sign documents electronically. This is likely due to the increased volume of documents transferred to a cloud setting since the pandemic started in 2020 and employees started working from home.
How do threat actors use DocuSign in phishing campaigns?
The threat actors using DocuSign will primarily target your company’s first line of defense, your employees. The email you will receive will look almost identical to a real DocuSign email and will likely ask you to “View More” or to click on an attached document within the email. This way the threat actors can ask you to login, therefore gaining your credential, or the attachment will contain a virus or malware that will download on your device.
How do I spot a DocuSign phishing email?
Awareness and training are your primary tools to detect phishing email. Below are the key warnings to help identify when you are being phished.
- You haven’t requested any documents and are not expecting any documents.
- You don’t recognize the sender.
- Fake links in the email. Always use https://www.docusign.com/ and enter the code in the email to access the document, if the code does not work, DO NOT click on the link in the email. You can check a link by hovering your mouse pointer over the document link, all valid DocuSign documents will be hosted on ”docusign.net”
- There is an attachment in the email, “DocuSign emails that request you to sign a document never contain attachments of any kind. Don’t open or click on attachments within an email requesting your signature. Per DocuSign Security page.
- Generic greetings such as “Dear DocuSign Customer.”
- They add a false sense of urgency such as “your account will be deleted if you don’t provide updated information.”
- Misspellings and bad grammar.
For more information on this type of attack, click here or contact your SensCy Client Advocate.