Body
Wait, That Was a Test!
You clicked a simulated phishing link as part of our Security Awareness Program. Let us learn how to spot these in the future.
Do not worry! This was only a simulation. Nothing bad happened and you do not need to change your password. We are here to help you learn, not to punish.
Let Us Break Down This DocuSign Phishing Email
| |
External Email: This email was sent from outside VIU. Treat links and attachments with extra caution.
|
Red Flag #1: External Email Warning
The "External Email" banner is your first warning. Legitimate internal notifications or trusted external services usually have recognizable sender addresses. Although the display name might say "DocuSign", always check the actual email address. If it comes from a generic domain (like @gmail.com) or a look-alike domain (like @docusign-support.com), it is likely a scam.
Red Flag #2: Suspicious Buttons & Links
Hover before you click. Scam emails often use buttons labeled "Review & Sign" to hide the malicious destination. Legitimate DocuSign links should always point to docusign.com or docusign.net. If the link uses a shortener (like bit.ly) or a strange domain, do not click it.
Hi [Name],
Your consent form is ready. Required to proceed with litigation.
Document accessible only to: [your.email@viu.ca]
Legal Team
viu.ca
Red Flag #3: High-Pressure Tactics & Context
"Required to proceed with litigation" is a high-pressure tactic designed to make you panic and click without thinking. Ask yourself: Was I expecting this? Am I involved in any litigation? If the request is unexpected or threatening, verify it through a separate channel before acting.
Spotting DocuSign Phishing Scams
DocuSign is one of the most commonly impersonated brands. Here is how to stay safe:
- Check the "From" Address: Legitimate emails come from
@docusign.com or @docusign.net. Avoid look-alikes like @docusign-support.com.
- No Attachments: Legitimate DocuSign requests never include attachments like .zip or .exe files.
- Verify the URL: Use your mouse to hover over any buttons. Ensure the link goes to a valid DocuSign domain.
- The Golden Rule: If you have any doubt, do not use the link in the email. Go directly to
docusign.com in your browser and enter the security code from the email (if provided) or log in to view your documents.
What Is the Number One Thing I Could Do
The number one thing you can do is treat your Inbox(es) like a school zone. Slow down when reading and acting on email.
We are all used to driving 10 km/hr over the speed limit on the highway. That behaviour can translate into our work. We are all super busy, and our attention is split. It is easy to be on autopilot without taking a moment to pause and think about what we are doing. However, I suspect none of us speed in a school zone. We slow down because of the heightened risk and greater impact of making a mistake on that stretch of road.
Email is the highest risk area of your job for being exploited and manipulating you into granting access to or sharing sensitive information.
What Should You Do Next Time?
Tips for identifying legitimate DocuSign emails:
- Hover over links. Real DocuSign URLs contain
docusign.net or docusign.com
- Check the sender. Legitimate DocuSign emails come from @docusign.net or @docusign.com
- Ask yourself: Was I expecting this? Do I know the sender?
- Verify separately. Contact the supposed sender through another channel
- Report it. Use the "Report Phishing" button in Outlook for suspicious emails
- When in doubt, contact IT. We are here to help!