How to Avoid Phishing Scams

According to Allot Ltd, a global provider of network intelligence and security solutions for service providers and enterprises worldwide, in the first quarter of 2022 phishing blocks increased by 37% (47 million in Q1 2021 vs 64 million in Q1 2022). Adware and Trojans remained the most blocked categories. A phishing attack can be devastating and results in loss of data, compromised accounts, ransomware, malware infections and even financial loss. 

What are the aim of phishing attacks?

The aim of these attacks is often to gain access to a victim’s email credentials. The tendency of most people to reuse usernames and passwords across websites, coupled with the trend of organisations using email addresses for user IDs, makes it easier for attackers to steal valuable information and exploit it - it’s essential for organisations to stay ahead of these challenges. Learning how to recognise fraudulent emails is the best way to protect yourself and your data. DocuSign is committed to employing the latest technology and industry knowledge to keep our customers safe from attackers — but it takes awareness and commitment from everyone involved to achieve the highest level of security. 

What is phishing?

Phishing is a technique used by attackers to trick individuals into divulging personal information—like login credentials—or launching malware to steal broader sets of data stored on their computers or connected networks. A phishing email typically looks like a valid email from a trusted source, duping recipients into opening the email and clicking on enclosed attachments or links. Scammers often mimic legitimate companies to encourage users to part with their personal data.

What happens when you click on a phishing link?

If you click on a phishing email or open an attachment or link malware, ransomware, spyware or viruses may be installed on your device. It may be undetectable for the user. If you enter personal information it may be exploited.

Other types of social engineering

Phishing is just one type of social engineering, the broad term used to describe various tactics and techniques used by attackers to manipulate and deceive individuals into divulging personal or confidential data. Bad actors will play on a potential victim’s emotions, using tactics that could include:

• Taking a false position of authority
• Exploiting one’s desire to help
• Playing on emotional needs or fears
• Offering something to win or obtain for free

Social engineering efforts usually appear harmless. They are designed to exploit human nature and take advantage of everyday moments when victims aren’t expecting an attack. In addition to phishing, there are a variety of related social engineering tactics that you could be vulnerable to

• Spear phishing, whaling, clone phishing: “Spear phishing” is phishing that focuses on specific targets, “whaling” is when this is done to a senior exec, “clone phishing” is when a previously delivered, legitimate email is replicated and sent with a bad attachment or link.
• Vhishing or vishing: phishing via voice over the phone with a live person or an interactive voice response (IVR) system getting you to divulge information over the phone, click a link or enter data after you receive an email related to the phone call.
• Smishing: phishing via sms/text messages to induce you to divulge private information by clicking on a link or entering data. 

How to identify phishing emails

Generally, it’s best to be skeptical about strange emails. Here’s a quick checklist of questions you can run through to be sure an email is legitimate: 

• Are you expecting the email?
• Do you recognise the sender?
• Do the email signature and the sender name/email address match?
• If it's a DocuSign email, does it have the new and correct logo and branding?
• Is the look or tone off from the norm?
• Are there spelling or grammar errors throughout?
• Is it more generic than it should be?
• Is it asking for you to provide your personal or login information?
• Are the links taking you to a valid and expected place (hover over them without clicking, long pause on your mobile device to see the link)?
• Are there strong emotions or an urgency communicated? 
• Do you feel like it’s just weird?

How to avoid being a victim of a phishing attempt

• Look for misspellings, poor grammar, generic greetings, a false sense of urgency and/or a demand.
• Enable multi-factor authentication where possible.
• Use strong, unique passwords for each service—don’t reuse passwords across multiple websites.
• Ensure your antivirus software is up to date and all application patches are installed.
• If you’re suspicious, contact the sender offline to verify the email’s authenticity.

How to detect DocuSign-themed phishing attempts

A few simple techniques can help you spot the difference between a spoofed DocuSign email and the real thing:

• Don’t open unknown or suspicious attachments, or click links—DocuSign will never ask you to open a PDF, office document or zip file in an email.
• Hover over all embedded links: URLs to view or sign DocuSign documents contain “docusign.net/” and always start with https.
• Access your documents directly from www.docusign.co.uk by entering the unique security code, which is included at the bottom of every DocuSign email.
• Report suspicious DocuSign-themed emails to your internal IT/security team and to spam@docusign.com.

How do DocuSign protect their users against Phishing?

DocuSign proactively detects and deters phishing attempts by tapping into the deep expertise and experience of the DocuSign security team in combination with sophisticated automated techniques, including:

• Leveraging custom automation tooling (developed in conjunction with the DocuSign cybersecurity team) to process potentially fraudulent URLs submitted to spam@docusign.com by customers or reported in threat intelligence feeds
• Using machine learning algorithms to improve accuracy and reduce false positives when identifying phishing attempts.
• Using performance dashboards and visualisations to track phishing trends over time and analyse phishing pages in real time.
• Enforcing a DMARC (Domain-based Message Authentication, Reporting and Conformance) reject policy on DocuSign.net, so any spoof email purportedly sent from docusign.net is rejected by all email providers supporting DMARC, after which the email content is sent to DocuSign for analysis.
• Analysing attackers’ actions and proactively detecting attacks by conducting forensic investigations and credential seeding.
• Partnering with leading security vendors and law enforcement organisations to share, blacklist and take down malicious websites and prevent further phishing attacks.

For DocuSign security and system performance information, visit the DocuSign Trust Center. Are you interested in finding out more about protection from Cybersecurity risks? Find out more about protecting your organisation from cybersecurity threats and keeping electronic signatures safe.