2023 Phishing Simulation

If you were redirected to this page, you fell for our phishing simulation. Don't worry, this was just a test - no passwords were captured, and your DocuSign account is not in danger

This phishing simulation was designed to emulate an attack where a hacker sends out targeted phishing emails to SEM employees and our advisors.

Phishing attacks continue to be extremely widespread and one of the most effective ways for a hacker to gain access to you and your company. SEM will periodically conduct phishing simulations to make sure that we and our business partners are aware of the techniques used by cyber criminals. When it comes to security, your success is our success and vice versa.

Let's review some “red flags” in this simulated attack:

Email:

This is the phishing email you received:

Screenshot of full email

Email Address

Legitimate Docusign emails only come from one of two places:

  1. The official DocuSign email address, whose domain is docusign.net.
  2. A custom email address configured by the company who is sending the DocuSign envelope. This is not a common configuration, but even in this case, the domain name should match the company that is sending it.

When you send an email, it will often contain a Display Name. Most of the time, your email client will set your display name for you - often it'll be your name, e.g. “John Smith”. However, with a little technical knowledge, you can set the Display Name to whatever you want. This phishing email set the display name to DocuSign System ([email protected]), even though the email did not come from that email address or from DocuSign at all.

There is more information to the right of the Display Name. The actual email address here is: [email protected]. Notice that it is between two angle brackets <> instead of two parenthesis ()

Notice the display name and email address in a legitimate email from DocuSign - it came the docusign.net domain (there is no display name trickery here)

Display Name in Inbox:
Display Name in Email:
Actual Email Address:
Legitimate Email from DocuSign:

Email Content

Spotting "red flags" in the email requires you to think critically about the content and context of the email. Here are some examples:

  • "You don't often get email from..." - Your email provider may have the ability to configure a banner which warns you when you receive email from a sender you don't often receive email from. If you haven't configured this, we strongly recommend that you do. Notice that the banner shows the real from address. In Microsoft 365, this feature is called First contact safety tip
  • Vague details - Notice how generic the email content is. Normally a DocuSign envelope will refernce at least part of the client's name, or family name, or account number, etc; In a legitimate situation, referring to something only as "Client distribution amendmendment" would make things harder to keep track of.

Individually, the "red flags" in the email don't guarantee that this it is a phishing email. Some legitimate emails do want to convey a sense of urgency, or have vague details, etc. Each individual "red flag" is cause for concern and should increase your level of scepticism, but you should consider things wholisticly. The more red flags, the more likely it is that the email is not legitimate.

Some other tips:

  • If possible, go directly to the website using a known good link (like a Bookmark), even if you're pretty sure that the link is legitimate. This is not possible with certain kinds of emails (e.g. password resets)
  • If you're unsure, you can ask a coworker or contact the sender to ask if the email is legitimate.
  • If you do contact the sender, don't reply directly to the phishy email. If possible, don't send them an email at all. If the attacker has control of the mailbox you're replying to, they can simply reply to your email and say "yes this is legitimate". Use a different form of communication, like a phone call.
First contact safety tip:
Phishing Email Body:

Link URL

In a legitimate DocuSign email, the link will always go to a URL whose domain is docusign.net

On a desktop or laptop, if you hover over the REVIEW DOCUMENTS button in the email, you will see a preview of the link URL. Notice that the domain is account.docu.sign-landing.com. This is a lookalike domain. It is designed to look like a legitimate DocuSign domain, but it is not.

You can also inspect links on mobile devices by long-pressing on the REVIEW DOCUMENTS button.

In general, you should avoid clicking links in emails if at all possible. You can inspect the link, but sometimes even legitimate links look a little scary or are hard to make sense of. A better plan is to go directly to the website and look for the information you need.

There are some situations - like a password reset or DocuSign email - where you may have to click the link. In these situations, you will want to take the other factors (email address, context, email content) into serious consideration before clicking - inspecting the link doesn't always make things clearer.

Link URL (Outlook desktop app):
Email in Outlook for iOS:
Preview after long-pressing on link:

Landing Page

It is possible that you could be compromised even if you just click the link in a phishing email. However, it is still advantageous to know how to identify a phishing web page because the goal of many phishing attacks is to get you to input your login credentials on a fake web page. Let's look at some "red flags" on this phishing web page:

Screenshot of full landing page

Password manager

If you have a password manager, you should have noticed that it did not autofill or have any suggestions for you on this page. If your password manager does not suggest login credentials on a web page where it normally does, this is a big red flag - it's very likely that you're not on the legitimate web page.

If you don't have a password manager, this is one of many reasons that they are a good idea!

Suggestions and autofill on real web page:
No suggestions on phishing page:

URL

If you're reading this and don't have a password manager, stop what you're doing and go get one! Password managers have many benefits and are, in general, much better at deciphering URLs than the average human. However, it can still be useful to know what to look for yourself.

Look closely at the URL. Everything between https:// and the next / is the domain name. In this case, it is account.docu.sign-landing.com. This is the same lookalike domain we saw in the link in the phishing email. The domain for a legitimate DocuSign website will end in either docusign.net or docusign.com

You might have noticed the padlock icon to the left of the URL. This does not mean that the website is safe! It just means that the connection to the website is encrypted. For more information: What does the padlock in your address bar really mean?

Phishing page URL:
Real DocuSign URL:

Questions?

If you have any questions about the content on this page, or our phishing simulations in general, feel free to email us at [email protected]