DocuSign is a company that provides technology for the transmission of contracts and other documents with features for electronic signatures. The company is used by many companies. Recently I received a phishing email, reproduced below that purported to be from an attorney that I know and with whom I do business asking me to click on a link to open a document that needed my signature. The phishing email looked very professional and contained the DocuSign logo and appeared legitimate. In the copy of the email below, I have blocked out the name and other personal information used to identify the attorney who was purported to have sent me the document. DO NOT CLICK ON THE LINK TO VIEW DOCUMENTS.
This is a spear phishing email designed to lure the person receiving the email to click on the link and either provide personal information that could be used for identity theft, or, as more likely in this particular phishing attempt, merely by clicking on the link would have downloaded keystroke logging malware into the computer of the person clicking on the link. This malware would have enabled the cybercriminal to steal all of the personal information from the computer and make that person a victim of identity theft. This email was particularly dangerous because it came from someone with whom I do business whose email account was hacked and used to send out the spear phishing email.
Here is the email without the logo.
Thomas has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.
Law Office of XXXXXXXXX
CONFIDENTIALITY NOTICE: This email message contains confidential information intended only for the person(s) or entity to whom it is addressed and is subject to attorney-client privilege. If you have received this email message in error, please destroy the original message.
CIRCULAR 230 DISCLOSURE: Pursuant to U.S. Treasury Regulations, we are now required to advise you that, unless otherwise indicated, any federal tax advice contained in this communication, including attachments and enclosures, is not intended and may not be used for the purpose of (1) avoiding tax related penalties under the IRC or (2) promoting, or recommending to another party any tax related matters addressed herein.
In this case, I actually followed my own advice as to never click on a link regardless of how legitimate the email or text message may appear until confirming that the message is legitimate. I emailed back to the attorney and asked him to confirm that it was legitimate and answer a question which I knew only he would know the answer to. The response I got from him was that he had been hacked and I should not click on the link.
The lesson here is clear. You can never be sure when you receive an email as to who is really contacting you. Although sometimes it is obvious when the email address of the sender does not correspond to who is represented as sending the email, but other times, such as in this case, the email account of someone or some company you trust could have been hacked and used to send you the malware. Therefore you should never click on a link or download an attachment in an email until you have absolutely and independently confirmed that it is legitimate.