DocuSign users recently received phishing emails after the company suffered a data breach. My company uses DocuSign,...
so what steps should it take to protect itself?
No personal information beyond customer and employee email addresses was accessed from DocuSign Inc., an electronic signature provider, when the users received phishing emails with suspicious attachments.
While DocuSign was breached, the company's electronic signature service remained secure, as signed documents are encrypted and an audit trail is maintained. PDF attachments were still properly sent after all the parties signed the documents.
However, the attackers took advantage of the customer email list obtained in the breach; they created a spoofed DocuSign phishing email that contained links to download a Microsoft Word document that contained malware, and then sent the phishing emails, which appeared to be legitimate company emails, to customers.
TechHelpList.com reported the malware could be used to steal passwords and banking credentials.
Here are six steps a company should take to protect itself from the DocuSign phishing email and similar attacks:
- Upgrade to the DocuSign subscription plan that includes notifications and signer attachments in PDF format. The company can choose between Business Pro for general subscribers and DocuSign for realtors.
- Enforce BYOD and DocuSign policies. The mobile devices the end users bring to work must be company-approved or issued.
- Install Sender Policy Framework record keeping and Domain-based Message Authentication, Reporting and Conformance on the company's email servers to flag and quarantine malicious emails. Boost the defense layer with automatic antivirus software updates and open source network monitoring tools for workstations.
- Visit the DocuSign Trust Center to learn about keeping personal data safe and reporting system failures, suspicious emails and security incidents.
- Schedule training for end users on spotting messages similar to the DocuSign phishing email containing deceptive URLs using criteria such as look-alike web addresses and company misspellings. The end users must properly access their documents directly from the DocuSign website using security code at the bottom of a legitimate DocuSign notification email. They must heed workstation browser warnings on certain types of malicious sites.
- Encourage users to use Twitter to stay informed of security updates and alerts. Remind users to use strong passwords and enable the option to require an email address or phone number to reset the password.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out how to educate users to avoid email phishing attacks in general
Learn how users can identify phishing techniques and fraudulent websites
Discover how one company tested its staff's phishing awareness
Dig Deeper on Email and messaging threats
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading