What is Social Engineering and How Do I Protect My Business from Attacks?

I recently had a client receive a fraudulent email saying it was from DocuSign. Because we noticed conflicting timelines and several red flag warnings, neither of us opened the email – but it served as a reminder of how close a business of any size can be to fraudsters.  

With DocuSign as a prime target for many malicious, third-party phishing attacks, I thought now would be a great time to define social engineering and take a deep dive into phishing attacks, how to prevent phishing attacks, and to review best practices for staying cyber-vigilant.  

What is Social Engineering?  

Social engineering is a type of manipulation that tricks individuals into giving away confidential information or bypassing security protocols. It often exploits human psychology, such as trust, fear, or curiosity, rather than hacking technical systems directly. 

Techniques may involve: 

• Acting authoritative 
• Playing on people’s desires to help 
• Exploiting emotions like fear 
• Offering prizes or incentives 
• Creating a sense of urgency 

Achieving robust security requires awareness and vigilance from everyone. You and your employees must learn to recognize legitimate emails, follow best practices to avoid phishing and other scams, and report any suspicious communications to help keep yourself and the online community safe. 

Is Social Engineering the Same as Phishing? 

Phishing is a type of social engineering attack specifically involving fake communications, usually emails, designed to trick recipients into sharing sensitive information or installing malware. Phishing attempts focus on digital deception (like spoofed emails, SMS/text messages, or fake websites) to entice individuals into disclosing confidential data, while social engineering includes both digital and physical tactics to exploit trust or authority. 

In short, social engineering is the overall strategy to exploit human vulnerability to give away sensitive data and/or obtain money through pig butchering, direct deposit changes, or gift card purchases; it's a broad term that covers a range of tactics. Phishing is one specific tactic within social engineering where fraudsters primarily use deceptive communications to obtain sensitive data. 

Common Types of Social Engineering Attacks 

While this article will primarily focus on phishing, here’s a rundown of the most common types of attacks your business may face: 

Phishing 

Fake emails, texts, or messages designed to trick people into giving up sensitive info or downloading malware. 

Spear Phishing 

Targeted phishing aimed at a specific person or organization, often using personal details to seem legit. 

Whaling 

Phishing attacks that go after high-profile folks like execs or business owners, usually with extra-sophisticated tricks. 

Deepfakes 

AI-made video or audio that mimics real people (like execs), used to trick or manipulate, often for financial gain. 

Tailgating (Piggybacking) 

Getting unauthorized access by following someone into a secure area, usually posing as staff or a vendor. 

Quid Pro Quo 

Offering a service in return for information (like posing as IT support to "help" in exchange for login details). 

Scareware 

Pop-ups or fake alerts that scare people into downloading malware, thinking they’re protecting their system. 

Pretexting 

Making up a story to get someone to share information, often by pretending to be someone important. 

Baiting 

Using a tempting item, like a “confidential” USB drive, to get someone to interact with malicious content. 

Vishing (Voice Phishing) 

Phone scams where attackers pretend to be someone legit to get sensitive information. 

Smishing (SMS Phishing) 

Phishing through text messages, often with fake links or requests for personal info. 

Watering Hole Attacks 

Infecting a website often visited by a target group to spread malware and access sensitive systems. 

How Quickly do Victims Fall for Phishing Scams? 

A phishing scam is a tactic (malicious emails, phone calls, text messages, or other messaging services) used to deceive individuals into revealing personal and financial information, such as login credentials, or for them to unknowingly activate malware that harvests personal data. Phishing emails often appear to come from legitimate sources, enticing recipients to click links or open attachments. 

According to a 2024 Data Breach Investigations Report by Verizon, it typically takes a person 21 seconds to click on a malicious link after a phishing email is opened, then another 28 seconds for the person caught in the phishing attack to enter their data. In other words, most victims fall for phishing emails in less than 60 seconds. 

What Do Fraudsters Want from a Phishing Attack? 

When attackers send phishing messages, the fraudster is not necessarily trying to compromise your account. Often, they aim to capture your email login details, with hopes that you have reused the same usernames and passwords across multiple sites and online accounts. 

Given that many organizations use email addresses as usernames, this practice opens the door for attackers to obtain sensitive information and misuse it. In the end, their goals for phishing scams may be to sell your personal or financial information, access your proprietary data, demand ransom, or further exploit you. 

Identifying Legitimate DocuSign Emails vs. Recognizing Fake Emails and Websites 

If you are unsure whether an email is legitimately from DocuSign, there are several things to review closely to avoid being scammed. 

Imitation Links 

Before you click on links within an email, always hover over the URLs to see where they are trying to guide you to click; some links within a spoof email may appear correctly. For a DocuSign email, they should be hosted on docusign.com or docusign.net.  

Fake links can lead to imitation sites, install spyware, or download viruses. To avoid clicking on the wrong link within a possible spoof email, you can access documents directly from DocuSign's official site using the unique security code in the notification email. 

Malicious Use of DocuSign Services 

Many threat actors sign up with DocuSign and use their services directly. This means an email may come from DocuSign with an authentic link that takes you to DocuSign for your signature. But then these fraudsters publish additional links through the DocuSign form page to third party sites where they will harvest your credential data or lead you to download malicious content.  

Imitation Sender Addresses 

Fake emails may have a forged sender address. If you do not recognize the sender or were not expecting a DocuSign envelope, contact the sender through other channels to verify the message.  

Remember, Stratus HR will notify you if we require a signature via DocuSign or some other method. We also will never collect payments through DocuSign agreements.  

Attachments 

DocuSign emails requesting signatures do not include attachments until after everyone has signed to provide you with completed documents. Be cautious, as DocuSign never sends attachments in zip, HTML, or executable formats. 

Generic Greetings 

Imposter emails may start with vague greetings like “Dear DocuSign Customer.” Lack of personalization is a warning sign, as is an overly personalized email from an unknown source. 

False Sense of Urgency 

Some fake emails create urgency, claiming unauthorized activity on your account. For DocuSign, these fake emails may request you take immediate action to update your account. 

Emails Posing as Websites 

Some emails mimic DocuSign’s appearance to collect personal details. DocuSign never requests personal information, like login credentials, via email. 

Deceptive URLs 

Double-check URLs for slight deviations, such as “docusing.com” instead of “docusign.com.” Pay attention to browser warnings about untrusted sites or certificates. 

Poor Grammar and Spelling 

Phishing emails often contain grammatical errors or misspellings, sometimes intentionally to bypass spam filters. 

Insecure Websites 

Only enter personal details on websites starting with “https://” (the “s” indicates a secure connection). DocuSign’s login page will always have “https://.” 

Pop-up Boxes 

DocuSign does not use pop-up boxes in emails, as they are not secure. 

Handling Suspicious Emails 

If you receive an unexpected email request, be cautious. Fraudsters often use DocuSign and other similar platforms to attempt scams. Avoid clicking on embedded links and report phishing emails or any suspicious content to security@docusign.com for further investigation. 

In the event you are suspicious of a DocuSign envelope’s authenticity, go directly to docusign.com to access the envelope directly. See their Alternative Signing Method Security Code Access page for more information. 

Be sure to report any malicious links sent through a valid DocuSign envelope to security@docusign.com for investigation. 

Verifying DocuSign Site Links 

All DocuSign site links begin with “https://www.docusign.net”. The link may include a prefix of other server designations, such as "na2", "na3", "na4", "au", "ca", "eu" or demo (for example, https://na2.docusign.net). Always hover before clicking to verify the site link looks authentic. 

Practice Safe Use of Software Platforms 

As technology advances, fraudsters will continue finding new ways to exploit trusted platforms. Exercise caution before sharing sensitive information or sending money. If you suspect an email or envelope may include malicious code or might send you to phishing sites, access information directly from a source’s website. 

Quick Tips to Spot a DocuSign Spoof 

The following quick tips from DocuSign will help you identify differences between a spoof email and a legitimate email to avoid phishing scams: 

• Were you expecting a DocuSign form or anything binding that needs to be signed? If not, this may be a scam. 

• Hover over all embedded links: URLs to view or sign DocuSign documents contain “docusign.net” and always start with “https” 

• Access your documents directly from docusign.com by entering the unique security code found at the bottom of every DocuSign email 

• Do not open unknown or suspicious attachments, or click links — unlike phishing scammers, DocuSign will never ask you to open a PDF, office document or zip file in an email 

• Look for red flags: misspellings, poor grammar, generic greetings, a false sense of urgency and/or a demand 

• Enable multi-factor authentication where possible 

• Use strong, unique passwords for each service— don’t reuse passwords across multiple websites 

• Ensure your anti-virus software is up to date and all application patches are installed 

• Contact the sender offline to verify the email’s authenticity 

• Report suspicious emails to your internal IT/Security team; if any suspicious emails are spoofs of DocuSign, be sure to also forward them to spam@docusign.com 

What to Do When You Question a DocuSign Email from Stratus HR 

If you receive an unexpected DocuSign or other email request that appears to be a phishing attempt from Stratus HR, please contact your Stratus HR account manager. For more information about safe cybersecurity practices for employees, see our cybersecurity blogs or contact your Stratus HR account manager. 

Not a current Stratus HR client? Book a free consultation and our team will contact you shortly.

Sources:
https://www.docusign.com/trust/security/incident-reporting
https://www.docusign.com/sites/default/files/docusign_combating_phishing_whitepaper.pdf