Month: January 2025

Approved: See Completed EFT Payment (DocuSign scams)

Attackers do abuse legitimate services like DocuSign to send phish, commit spoofing, fraud or steal personal data.

Take note that the sender address is legitimate, dse_NA4@docusign.net. The body contains a 32 character security code in it, usual for a DocuSign email. If you scroll over the link, it also appears to be on DocuSign’s servers, however this could contain a redirect, sending you to a malicious website or download malware.

Red flags:

  • The sender name and email address contained in the body do not match. They are also very generic ie. james wood and mark harry.
  • The link contained in the email “_wildcard_.usentden***” is suspicous.
  • Grammatical error, the use of a capital letter in the middle of the sentence where it says, “These document(s) are related to the Completed transaction”.
  • If you do not recognize the sender, this should raise a red flag.

Reach out to the helpdesk if you have clicked on any links or provided any personal information to fake DocuSign emails like this.

Subject: Approved: See Completed EFT Payment
From: james wood via Docusign

james wood sent you a document to review and sign.
Review Document [by clicking on the review document button]

james wood
mark harry45111@outlook.com

These documents are related to the Completed transaction.

You can download these documents by clicking the links below.
_wildcard_.usentdensredocument.it.com/sadGEgve

Fake email quarantine phish

This phishing email pretends to be from Microsoft alerting the user that their UVic email has quarantined messages. You may see variations of this pretending to come from UVic tech support or something to that effect. It uses a false sense of urgency to try and trick you into clicking on the “View Messages” button. They use the Microsoft logo to try appear to be legitimate.

Here are some ways to recognize this as a phishing email:

  • Always check the sender address, in this case it was a phishing email address.
  • Urgent call to action creating a false sense of urgency.
  • The warning message “You don’t often get email from info@***.pe. This is an alert that this sender may be untrusted.
  • Poor grammar – “act now to release messages to avoid missing on important message.”

Remember to be cautious and never click on any link unless you are sure it is coming from a trusted source. If you are unsure reach out to the helpdesk or your support person.

Subject: You have high priority messages in quarantine

From: info@[redacted].pe

You don’t often get email from info@[redacted].pe. Learn why this is important.

Action required

  • User ID: [redacted]@uvic.ca
  • Date and Time Added: 1/13/2025, 9:12:53 PM
  • Message ID: 5 incoming messages are being held for your review.

Act now to release messages to avoid missing on important message. [By clicking on View Messages button.]