If you were redirected to this page, you fell for our phishing simulation. Don't worry, this was just a test - no passwords were captured, and your DocuSign account is not in danger
This phishing simulation was designed to emulate an attack where a hacker sends out targeted phishing emails to SEM employees and our advisors.
Phishing attacks continue to be extremely widespread and one of the most effective ways for a hacker to gain access to you and your company. SEM will periodically conduct phishing simulations to make sure that we and our business partners are aware of the techniques used by cyber criminals. When it comes to security, your success is our success and vice versa.
Let's review some “red flags” in this simulated attack:
This is the phishing email you received:
Legitimate Docusign emails only come from one of two places:
docusign.net.
When you send an email, it will often contain a Display Name. Most of the time, your email client will set your display name for you - often it'll be your name, e.g. “John Smith”. However, with a little technical knowledge, you can set the Display Name to whatever you want. This phishing email set the display name to DocuSign System ([email protected])
, even though the email did not come from that email address or from DocuSign at all.
There is more information to the right of the Display Name. The actual email address here is: [email protected]
. Notice that it is between two angle brackets <> instead of two parenthesis ()
Notice the display name and email address in a legitimate email from DocuSign - it came the docusign.net
domain (there is no display name trickery here)
Spotting "red flags" in the email requires you to think critically about the content and context of the email. Here are some examples:
Individually, the "red flags" in the email don't guarantee that this it is a phishing email. Some legitimate emails do want to convey a sense of urgency, or have vague details, etc. Each individual "red flag" is cause for concern and should increase your level of scepticism, but you should consider things wholisticly. The more red flags, the more likely it is that the email is not legitimate.
Some other tips:
In a legitimate DocuSign email, the link will always go to a URL whose domain is docusign.net
On a desktop or laptop, if you hover over the REVIEW DOCUMENTS button in the email, you will see a preview of the link URL. Notice that the domain is account.docu.sign-landing.com
.
This is a lookalike domain. It is designed to look like a legitimate DocuSign domain, but it is not.
You can also inspect links on mobile devices by long-pressing on the REVIEW DOCUMENTS button.
In general, you should avoid clicking links in emails if at all possible. You can inspect the link, but sometimes even legitimate links look a little scary or are hard to make sense of. A better plan is to go directly to the website and look for the information you need.
There are some situations - like a password reset or DocuSign email - where you may have to click the link. In these situations, you will want to take the other factors (email address, context, email content) into serious consideration before clicking - inspecting the link doesn't always make things clearer.
It is possible that you could be compromised even if you just click the link in a phishing email. However, it is still advantageous to know how to identify a phishing web page because the goal of many phishing attacks is to get you to input your login credentials on a fake web page. Let's look at some "red flags" on this phishing web page:
If you have a password manager, you should have noticed that it did not autofill or have any suggestions for you on this page. If your password manager does not suggest login credentials on a web page where it normally does, this is a big red flag - it's very likely that you're not on the legitimate web page.
If you don't have a password manager, this is one of many reasons that they are a good idea!
If you're reading this and don't have a password manager, stop what you're doing and go get one! Password managers have many benefits and are, in general, much better at deciphering URLs than the average human. However, it can still be useful to know what to look for yourself.
Look closely at the URL. Everything between https://
and the next /
is the domain name. In this case, it is account.docu.sign-landing.com
. This is the same lookalike domain we saw in the link in the phishing email. The domain for a legitimate DocuSign website will end in either docusign.net
or docusign.com
You might have noticed the padlock icon to the left of the URL. This does not mean that the website is safe! It just means that the connection to the website is encrypted. For more information: What does the padlock in your address bar really mean?
If you have any questions about the content on this page, or our phishing simulations in general, feel free to email us at [email protected]