Digital signatures can replace pen-and-paper, and several companies provide it as a service. DocuSign is one of the largest, with over 1 million users in the U.S. and many more in over 180 countries. But being the biggest also makes you a lucrative target. Read on to see why you need to be extra careful when you receive a DocuSign email that needs your attention.

Here’s the backstory

Sending documents back and forth for approval, signing, or review has never been easier. You don’t even need to attach the file to an email as it can be sent directly through digital signature software. Naturally, several processes are in place to ensure that the right person signs or it doesn’t get intercepted. Unfortunately, some of those processes are no match for cybercriminals, as researchers at Armorblox discovered. Through sophisticated social engineering, criminals are trying to fool office workers into divulging personal information. The attacks use fake DocuSign requests from spoofed email addresses to infiltrate corporate networks. The methods are relatively simple, sending out a request to a potential victim to review a document. However, once the email is delivered, it could be hard to tell if it is authentic or not. The email is a near-perfect replica of DocuSign correspondence, with a link at the bottom to access the file. “Upon clicking the link, the user is presented a preview of a DocuSign document overview. The similarity to a valid DocuSign overview landing page establishes a sense of trust within the recipient of this phishing attack,” Armorblox explained in a blog post. But this is only half of the document, and the victim needs to click on “view completed document” to go further. Upon doing so, the criminals reap their rewards, as the victim is asked to enter their Microsoft credentials. The scam is that the document is fake, and the criminals capture the details entered. As a result, they have full access to that account and use it to infiltrate other systems.

What you can do about it

This phishing scam can have dire consequences for any business and bring workflow procedures legitimacy into question. If you or your company use digital signature software, there are a few things that you must look out for:

Always verify that the email is from a real person in your company. Even if the email address seems authentic at first glance, scrutinize it for minor errors or typos. Reach out to the sender to verify it came from them before clicking links.Where possible, enable two-factor authentication (2FA) to place another layer of security between you and criminals.Be cautious with links and attachments found in unsolicited texts and emails. They could be part of phishing scams and lead to more problems.

Keep reading

Check your phone! Using one of these scam 2FA apps is a privacy disaster Scammers have a clever new trick to steal money: Video chats