The Internet is a critical component to your business and to conducting business on the DocuSign Global Network. While most of us use the Internet for good, there are malicious third parties who try to take advantage of others through scams, malware, and viruses. In fact, antivirus vendors report that malicious code incidents have been increasing by as much 3600% per week recently. Much of this activity is in the form of spam emails and web sites attempting to impersonate trusted brands in an effort to take advantage of the relationship those brands have with their customers.
DocuSign’s top priority is to make your DocuSigning experience safe and secure. While most of us have antivirus software that protects us from scams and fraud, it’s always smart to take extra precautions whenever possible. You are the first and best layer of defense in combatting online fraud. Learning to properly detect and avoid online and email scams is the ultimate protection against fraud. Here’s how you can further protect yourself, your business, and your customers in the New Year:
- Learn to spot fraudulent emails and web sites: First and foremost, if you don’t recognize the sender of an email, contact the sender to verify the authenticity of the email. You can always check for the following signs that an email may be fake:
- Attachments: Emails requesting you to DocuSign a document never contain attachments of any kind. DO NOT OPEN or click on attachments within an email requesting your signature. DocuSign emails only contain PDF attachments of completed documents after all parties have signed the document – and that’s only when the sender has configured DocuSign to provide a completed PDF. Even then and with emails from outside of DocuSign, pay close attention to the attachment to ensure it is a valid PDF file. DocuSign NEVER attaches zip files or executables.
- Fake email addresses: If you don’t recognize the sender of a DocuSign envelope or an email, contact the sender to verify the authenticity of the email. Even if you do recognize the sender, note that fake emails may include a forged email address in the “From” field to make it look legitimate. When spam filters catch these emails they typically put “SPAM” at the beginning of the subject line to alert you.
- Deceptive URLs and fake links. Only enter your DocuSign user name and password on DocuSign pages, which begin with http://www.docusign.com or https://www.docusign.net. If you see an @ sign in the middle of a URL, there’s a good chance it is fake. Legitimate companies use a domain name (e.g. http://www.company.com). Even if a URL contains the word “DocuSign,” it may not be a DocuSign site. Always log in to your DocuSign account by opening a new web browser and typing in http://www.docusign.com or https://www.docusign.net. This same advice applies to any company or brand that you trust or do business with. Always check where a link goes before you click on it. You can hover your mouse over the link to look at the URL in your browser or email status bar. A fraudulent link is dangerous and can:
- Direct you to a fake website that also attempts to look legitimate and tries to collect your personal data.
- Install spyware on your computer. Spyware is an application that can enable a hacker to monitor your actions and steal any login IDs, passwords, or credit card numbers you type online.
- Cause you to download a virus that could disable your computer or have a broader impact on your systems.
- Generic Greetings: Many fake emails begin with a generic greeting like “Dear [Company Name] Customer.” If you do not see your name in the salutation, be suspicious and do not click on any links or attachments.
- A false sense of urgency: Many fake emails try to deceive you with the threat that your account is in jeopardy if you don’t provide immediate updates. They may also state that unauthorized transactions have occurred on your account or that the sender needs to update your account information immediately.
- Emails that appear to be websites: Some fake emails are made to look like a website in order to get you to enter personal information. DocuSign never asks you for personal information, including login, ID, or password in email. Be cautious of other emails or web sites that do. It’s also a good best practice to refrain from having your web browsers save your passwords. Browser-cached passwords are the target of many malicious spam emails.
- Misspellings and bad grammar. While no one is perfect, fake emails often contain misspellings, incorrect grammar, missing words, and gaps in logic. Mistakes like this help fraudsters avoid spam filters.
- Unsafe sites. The term “https” should always precede any website address where you enter personal information. The “s” stands for secure. If you don’t see “https,” you’re not in a secure web session, and you shouldn’t enter data. Sometimes even malicious web sites may have an SSL certificate and often include a message like, “You have received a secure message from [company name]” within the email to try to trick you. Always be cautious.
- Pop-up boxes. DocuSign does not use pop-up boxes in emails. Be cautious of emails that do.
- Keep your user IDs and passwords safe: Use a strong password that is difficult for others to guess and avoid birthdays, names, and pet’s names. Change your password frequently. Never write down your password or share it with others. Never provide your account logins or passwords, credit card numbers, or other personal information via email or to unknown parties. Note: DocuSign will never ask our customers for their password.
- Exercise caution using public computers: Public web browsers can cache personal data and store login and password details. Always log off of web sites and clear the browser cache to protect your personal information, passwords, and accounts.
- Ensure your anti-virus software is enabled and up to date: Make sure to update all of your systems, even home systems, with the latest security and anti-virus software to protect yourself, your business, and your customers.
If you receive a questionable or fake email, DO NOT OPEN ANY ATTACHMENTS. Instead, forward the entire email to the DocuSign Security team at: firstname.lastname@example.org, then delete it immediately from your mailbox.
Thank you for helping DocuSign fight spam.