I recently had a client receive a fraudulent email saying it was from DocuSign. Because we noticed conflicting timelines and several red flag warnings, neither of us opened the email – but it served as a reminder of how close a business of any size can be to fraudsters.
With DocuSign as a prime target for many malicious, third-party phishing attacks, I thought now would be a great time to define social engineering and take a deep dive into phishing attacks, how to prevent phishing attacks, and to review best practices for staying cyber-vigilant.
Social engineering is a type of manipulation that tricks individuals into giving away confidential information or bypassing security protocols. It often exploits human psychology, such as trust, fear, or curiosity, rather than hacking technical systems directly.
Techniques may involve:
Achieving robust security requires awareness and vigilance from everyone. You and your employees must learn to recognize legitimate emails, follow best practices to avoid phishing and other scams, and report any suspicious communications to help keep yourself and the online community safe.
Phishing is a type of social engineering attack specifically involving fake communications, usually emails, designed to trick recipients into sharing sensitive information or installing malware. Phishing attempts focus on digital deception (like spoofed emails, SMS/text messages, or fake websites) to entice individuals into disclosing confidential data, while social engineering includes both digital and physical tactics to exploit trust or authority.
In short, social engineering is the overall strategy to exploit human vulnerability to give away sensitive data and/or obtain money through pig butchering, direct deposit changes, or gift card purchases; it's a broad term that covers a range of tactics. Phishing is one specific tactic within social engineering where fraudsters primarily use deceptive communications to obtain sensitive data.
While this article will primarily focus on phishing, here’s a rundown of the most common types of attacks your business may face:
Fake emails, texts, or messages designed to trick people into giving up sensitive info or downloading malware.
Targeted phishing aimed at a specific person or organization, often using personal details to seem legit.
Phishing attacks that go after high-profile folks like execs or business owners, usually with extra-sophisticated tricks.
AI-made video or audio that mimics real people (like execs), used to trick or manipulate, often for financial gain.
Getting unauthorized access by following someone into a secure area, usually posing as staff or a vendor.
Offering a service in return for information (like posing as IT support to "help" in exchange for login details).
Pop-ups or fake alerts that scare people into downloading malware, thinking they’re protecting their system.
Making up a story to get someone to share information, often by pretending to be someone important.
Using a tempting item, like a “confidential” USB drive, to get someone to interact with malicious content.
Phone scams where attackers pretend to be someone legit to get sensitive information.
Phishing through text messages, often with fake links or requests for personal info.
Infecting a website often visited by a target group to spread malware and access sensitive systems.
A phishing scam is a tactic (malicious emails, phone calls, text messages, or other messaging services) used to deceive individuals into revealing personal and financial information, such as login credentials, or for them to unknowingly activate malware that harvests personal data. Phishing emails often appear to come from legitimate sources, enticing recipients to click links or open attachments.
According to a 2024 Data Breach Investigations Report by Verizon, it typically takes a person 21 seconds to click on a malicious link after a phishing email is opened, then another 28 seconds for the person caught in the phishing attack to enter their data. In other words, most victims fall for phishing emails in less than 60 seconds.
When attackers send phishing messages, the fraudster is not necessarily trying to compromise your account. Often, they aim to capture your email login details, with hopes that you have reused the same usernames and passwords across multiple sites and online accounts.
Given that many organizations use email addresses as usernames, this practice opens the door for attackers to obtain sensitive information and misuse it. In the end, their goals for phishing scams may be to sell your personal or financial information, access your proprietary data, demand ransom, or further exploit you.
If you are unsure whether an email is legitimately from DocuSign, there are several things to review closely to avoid being scammed.
Before you click on links within an email, always hover over the URLs to see where they are trying to guide you to click; some links within a spoof email may appear correctly. For a DocuSign email, they should be hosted on docusign.com or docusign.net.
Fake links can lead to imitation sites, install spyware, or download viruses. To avoid clicking on the wrong link within a possible spoof email, you can access documents directly from DocuSign's official site using the unique security code in the notification email.
Many threat actors sign up with DocuSign and use their services directly. This means an email may come from DocuSign with an authentic link that takes you to DocuSign for your signature. But then these fraudsters publish additional links through the DocuSign form page to third party sites where they will harvest your credential data or lead you to download malicious content.
Fake emails may have a forged sender address. If you do not recognize the sender or were not expecting a DocuSign envelope, contact the sender through other channels to verify the message.
Remember, Stratus HR will notify you if we require a signature via DocuSign or some other method. We also will never collect payments through DocuSign agreements.
DocuSign emails requesting signatures do not include attachments until after everyone has signed to provide you with completed documents. Be cautious, as DocuSign never sends attachments in zip, HTML, or executable formats.
Imposter emails may start with vague greetings like “Dear DocuSign Customer.” Lack of personalization is a warning sign, as is an overly personalized email from an unknown source.
Some fake emails create urgency, claiming unauthorized activity on your account. For DocuSign, these fake emails may request you take immediate action to update your account.
Some emails mimic DocuSign’s appearance to collect personal details. DocuSign never requests personal information, like login credentials, via email.
Double-check URLs for slight deviations, such as “docusing.com” instead of “docusign.com.” Pay attention to browser warnings about untrusted sites or certificates.
Phishing emails often contain grammatical errors or misspellings, sometimes intentionally to bypass spam filters.
Only enter personal details on websites starting with “https://” (the “s” indicates a secure connection). DocuSign’s login page will always have “https://.”
DocuSign does not use pop-up boxes in emails, as they are not secure.
If you receive an unexpected email request, be cautious. Fraudsters often use DocuSign and other similar platforms to attempt scams. Avoid clicking on embedded links and report phishing emails or any suspicious content to security@docusign.com for further investigation.
In the event you are suspicious of a DocuSign envelope’s authenticity, go directly to docusign.com to access the envelope directly. See their Alternative Signing Method Security Code Access page for more information.
Be sure to report any malicious links sent through a valid DocuSign envelope to security@docusign.com for investigation.
All DocuSign site links begin with “https://www.docusign.net”. The link may include a prefix of other server designations, such as "na2", "na3", "na4", "au", "ca", "eu" or demo (for example, https://na2.docusign.net). Always hover before clicking to verify the site link looks authentic.
As technology advances, fraudsters will continue finding new ways to exploit trusted platforms. Exercise caution before sharing sensitive information or sending money. If you suspect an email or envelope may include malicious code or might send you to phishing sites, access information directly from a source’s website.
The following quick tips from DocuSign will help you identify differences between a spoof email and a legitimate email to avoid phishing scams:
If you receive an unexpected DocuSign or other email request that appears to be a phishing attempt from Stratus HR, please contact your Stratus HR account manager. For more information about safe cybersecurity practices for employees, see our cybersecurity blogs or contact your Stratus HR account manager.
Not a current Stratus HR client? Book a free consultation and our team will contact you shortly.
Sources:
https://www.docusign.com/trust/security/incident-reporting
https://www.docusign.com/sites/default/files/docusign_combating_phishing_whitepaper.pdf