I was going about my business the other day when I received an e-mail from DocuSign, the electronic document signature service frequently used by modern business for things like procurement orders. I won’t post the actual message I received in the interest of client privacy, but it was somewhat similar to this other DocuSign scam found online:
Hmmm. No misspellings or design flaws. Mostly official-looking. No, “Hello Dear Sir/Ma’Am, kindly do the needful” or other strange foreign-sounding lingo. None of the classic hallmarks of a phishing attempt.
I had been expecting something like this from Docusign, as I was working on a procurement order- so this gave me brief pause. Was this the response to my procurement order I had been waiting for? But something seemed off. So I hovered my cursor over the “View Documents” link – and the popout field showed a web address leading to tinyurl.com, the popular link shortener.
It was instantly clear: this was a phishing attempt. No reputable business would ever use public link shortening services like TinyURL – far too vulnerable, far too open to exploitation.
I must admit, I was slightly ashamed as a matter of professional pride after the fact. True, I had identified this as a scam within seconds and was never in any danger of clicking the link – but like I mentioned, I had to think for a few seconds. What if I hadn’t known any better? What if I didn’t know anything about link shorteners or the vulnerabilities posed by them? What if I’d just been fooled by the reputable company name, polished e-mail, and my own expectation of such an e-mail? This story might have had a much worse ending, albeit perhaps more exciting.
This is why e-mail security training is absolutely and unquestionably essential. It’s not enough to have a great spam filter or powerful antivirus solution. If users don’t understand how to identify phishing attempts when they get them, then you can throw the lion’s share of your cybersecurity out the window.
How can users be on the lookout? This list of the top 5 e-mail security tips from CSO Online is a good place to start:
1. Expect the Unexpected.
…Make sure to scrutinize any such emails before you download attachments or click on any included links, and use common sense. Did you actually order anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from? If so, it’s probably a phishing attempt.
2. Name Check.
If you receive an email or even an instant message from someone you don’t know directing you to sign in to a website, be wary… You also should double-check the “From” address of any suspicious email; some phishing attempts use a sender’s email address that is similar to, but not the same as, a company’s official email address.
3. Don’t Click on Unrecognized Links.
Typically, phishing scams try to convince you to provide your username and password, so they can gain access to your online accounts… Often, they’ll include embedded URLs that take you to a different site. At first glance, these URLs can look perfectly valid, but if you hover your cursor over the URL, you can usually see the actual hyperlink. If the hyperlinked address is different than what’s displayed, it’s probably a phishing attempt and you should not click through.
4. Poor Spelling And/Or Grammar.
It’s highly unlikely that a corporate communications department would send messages to its customer base without going through at least a few rounds of spelling and grammar checks, editing and proofreading. If the email you receive is riddled with these errors, it’s a scam.
5. Are You Threatening Me?
“Urgent action required!” “Your account will be closed!” “Your account has been compromised!” These intimidation tactics are becoming more common than the promise of “instant riches”; taking advantage of your anxiety and concern to get you to provide your personal information. Don’t hesitate to call your bank or financial institution to confirm if something just doesn’t seem right.
Cybersecurity expert Bruce Schneier had it right when he put it this way: “Only amateurs attack machines; professionals target people.” All the hi-tech security in the world ain’t gonna protect against a weak-link user who can’t tell when they’re being targeted by a phishing attempt. Know the signs, know the risks, and know how to respond.