In recent weeks, Gadget has received a steady stream of fake emails that request us to review and sign a document sent via Docusign, the global e-signature platform. The requests are relatively convincing, as we have regularly signed contracts and forms via Docusign. However, these emails were sent from individuals with whom we’ve never dealt, and companies with whom we were not in the midst of contractual discussions. It is a clear phishing attempt, trying to convince us to click through to a link that will expose us to malware, or supply details that will then be used fraudulently.
Now, it has emerged that we are not alone in being exposed to this scam.
Security software company Kaspersky is warning that this is a rising phishing scam, and that cyber attackers are sending these emails with links to fake websites where users are asked to enter a work login and password.
The Docusign phishing attack begins with an email that resembles legitimate communication from the service provider. Unlike other phishing schemes, the malicious actors generally do not bother to forge or mask the sender address, given how genuine Docusign emails can originate from any address due to the customisation options available to Docusign customers.
Typically, the victim is notified that they must electronically sign a financial-related document, with the click through link included in the email received. In some instances, the phishers can also include a PDF attachment with a QR code inside. The victim is prompted to open the attachment and scan this QR code, supposedly to access the document for signing, however in reality this leads to a phishing website intended to gather users’ credentials.
The tactics and quality of execution can vary from email to email. However, the core principle remains the same: phishers rely on the recipient not understanding how e-signing with Docusign actually works. The inattentive victim follows the link (or QR code) to the phishing page and enters their work login credentials, which go straight to the attackers. Usernames and passwords harvested through successful phishing attacks are often compiled into databases sold on illicit dark web marketplaces and later used to attack organisations.
Photo supplied
The whole purpose of Docusign is to make it as easy as possible for companies and individuals to exchange electronically-signed documents. Any additional steps or restrictions — such as creating an account, entering credentials, opening attachments, or using only a smartphone to sign — go against this principle. Therefore, Docusign asks for none of this and strives to make the signing process as quick and simple as possible.
To protect against this Docusign phishing tactic or other scams that impersonate popular services, Kaspersky recommends the following:
Have an understanding around how the genuine service works: For example, Docusign will never:
- Send a PDF attachment with a link to a document to be signed.
- Give you no choice but to scan a QR code. Docusign works on both mobile devices and computers, so a link is always provided to access the document – not a QR code.
- Require you to enter work login credentials.
- Force you to register with or log in to Docusign. After you sign the document, Docusign might suggest creating an account, but it’s entirely optional.
Be cautious of links and attachments: Avoid clicking on any unexpected links or downloading attachments in unsolicited emails.
- Train employees: Companies should educate employees on how to recognise phishing attempts. Specialised training systems such as Kaspersky Automated Security Awareness Platform can be of help.
- Use security solutions: Filtering out suspicious and unwanted email at the gateway level with products such as Kaspersky Security for Mail Server prevents employees from being defrauded by socially engineered scams. Security solutions for endpoints relevant to the size of the organisation – such as Kaspersky Small Office Security or Kaspersky Next – will also secure from phishing redirects.
- Use multi-factor authentication: This measure adds an extra layer of protection for sensitive accounts and services.
“Phishers are increasingly using names of trusted services like Docusign,” says Roman Dedenok, a cybersecurity expert at Kaspersky. “We advise all IT users both at work and at home to always verify the sender’s identity and avoid clicking on suspicious links. Companies should ensure their teams know how to identify phishing emails, while multi-factor authentication and email filtering solutions add an extra level of defence.”