Thompson Rivers University
Thompson Rivers University
its-2016-banner37831

How to spot harmful DocuSign phishing scams

  Posted on: October 28, 2020

There’s been a rise in phishing messages that look like they are from DocuSign. These harmful emails are disguised as legitimate DocuSign notifications related to invoices or other financial documents that require your signature.

Phishing scams are a very popular tactic hackers use to trick you into thinking you’ve received an email or text (SMiShing = SMS phishing) from a reputable company. To help convince you to click links or open documents, scammers use logos, fake but realistic-looking email addresses and contacts, and other tactics to make their email look legitimate and ultimately get you to click a malicious link that could compromise your security.

An example of a recent DocuSign phishing email (see below for a legitimate example):

How to tell if this message is legitimate, or not:

1. Look at the subject line. In this example, it has ‘[Suspected Junk Mail][mg]” prepended to the original subject line. This tells you that our IT systems determined that the message may be fraudulent and alerts you to be wary of the contents. The grammar is also incorrect, which is a common sign of scam messages.

2. Look at the return email address. In this example, the address is not related to DocuSign or anyone at TRU. The address may be hidden behind a friendly name. To see the actual address, hover your mouse over the name and the email address will appear in a small pop-up window. Note that mobile devices don’t readily display the actual sender information and the bad actors are counting on that. An easy way to see the address is to start to forward the email (but don’t actually send it) and check the thread it creates.

3. Look at the message content. In this example, there in an attachment with no other context provided. If the attachment were to be opened, it would open in your default browser, and provide a link to another page, yet again not related to DocuSign or TRU.

An example of a legitimate version of an email from DocuSign:

Although this above example has been edited to remove personal information, you can see how a legitimate email from DocuSign looks different from the scam version.

If you receive an email that you suspect is phishing or SPAM, please do not click any links or open any attachments, and forward it to infosecurity@tru.ca.

Thank you for being watchful for scam emails, reporting any scam emails to Info Security and keeping TRU safe.


     

Search To Top