We’ve recently seen a number of DocuSign themed phishing messages targeting UNC email inboxes.
DocuSign provides guidance on How DocuSign Users Can Spot, Avoid and Report Fraud.
Here are some key takeaways:
- Who sent the email? Legitimate DocuSign messages should come from an email address that ends with DocuSign.com or DocuSign.net.
- Hover to discover! Always check where a link goes before clicking by hovering your mouse over the link to review the URL. Legitimate DocuSign links should be hosted on DocuSign.com or DocuSign.net.
- If you’re not sure whether or not the email is legitimate, go directly to www.docusign.com and input the security code found in the email to access the document. Note that the phishing messages we are seeing do contain a security code however it is embedded in a hyperlinked image file (i.e., trying to “copy” the code may inadvertently lead to clicking the link / opening a fake logon page). You can use the “Hover to discover!” technique over the code before attempting to highlight/copy the code to check if a URL is displayed. In an authentic DocuSign message, the code should be text that you can copy/paste into the access document area of the DocuSign website, not a link.
Here is one example of a DocuSign themed phish with emphasis on (1) and (2)
If you receive a fake DocuSign message, please use the Report Message > Phishing button in Outlook / heelmail.unc.edu.
If you accidentally clicked on the link, you may be directed to a fake Office365 login page. A few tell-tale signs for recognizing a fake Office365 login page:
- The URL field does not begin with https://sso.unc.edu or https://login.microsoftonline.com/
- The page appears to be “generic” (e.g., compare the Sign in page of the consumer version of https://outlook.live.com/ and the UNC branded https://heelmail.unc.edu, phishers will usually attempt to replicate the consumer version)
If you entered onyen credentials into a fake logon page, immediately reset your password via https://onyen.unc.edu. If you believe UNC Sensitive Information may have been at risk during the interval when the credentials were exposed, follow the Incident Management Standard by reporting a critical Incident via help.unc.edu or 919-962-HELP and awaiting contact from a UNC ISO incident handler.