Check all your DocuSign-related emails carefully, particularly if you weren't expecting one: Electronic signature company DocuSign is the latest brand to be impersonated in a phishing scheme aimed at scooping up your company data.
Over 500 employees at one company were recently sent the same DocuSign phishing email, complete with a convincing request to review a completely fictional contract.
Phishing attacks grew by 28% last year. Here's what to look for with this particular attack, and how to protect your own business from similar scams.
DocuSigning Away Your Data
The report from email software company Armorblox comes with a subject line claiming, “Hannah McDonald shared a ‘Revised Contract' with you.” Once opened, the viewer sees a short message saying, “Please review the below and get back to me,” along with a document link.
The link leads to an impressive fake DocuSign preview page, hosted on the Axure prototyping software.
The email is sent from a legitimate domain in order to slip past Microsoft email security and sounds just like a fairly normal task many workers might be expected to complete as part of their workflow. It all adds up to a well-composed phishing attack that could easily work.
“Scammers created a sense of urgency without sounding the alarm (there is no Nigerian prince waiting to send money into your bank account),” said Armorblox threat researcher Lauryn Cash.
Impersonating DocuSign specifically is a smart way to scam someone, as the brand is so well-known that the victim will be more likely to trust it and even less likely to risk holding up the contract.
How to Stay Safe
The rise of remote work comes with some very specific risks — like electronic signatures.
Just like physical documents, everyone needs to be careful what they sign. But unlike a physical document, a phisher can mass-email a fake document out with a single click and have hundreds of different chances at luring in a victim.
Here are the best practices that can help you avoid this type of scam:
- Use multi-factor authentication — this is one of the easiest and best ways to catch scammers
- Use a password management tool — we've ranked all the top business options here
- Check all details for similarity to previous emails — everything from the address to font size and spelling errors can give away a scammer
- Verify with others — this phishing attack will always ask you to review or approve a document you don't expect to receive, so whenever this happens, doublecheck with a coworker if possible
The biggest tip of all? Don't let your guard down even if you follow all this advice. Phishing attacks always work best on anyone who's complacent, and we all let our guards down more often than we think.