Phishing Emails - How to Protect Your Customers When Using E-Signature

Dilani Silva, August 11, 2019

According to a 2019 PhishLabs report, the volume of phishing attacks against U.S. targets rose over 40% in 2018. Phishing continues to be one of the most common and successful social engineering schemes globally, with no sign of slowing down. Phishing tricks people into clicking malicious links to download malware or provide confidential information to criminals. The rise of web service impersonation attacks, a type of phishing attack using a recognized brand, involves fake websites and emails that prompt people to login and give up their credentials to criminals. With the stolen credentials, attackers can login to other services and impersonate the victim to steal funds. 

Scammers and phishers adapt to current events and seasonal business activity. Last year, we saw opportunistic GDPR-related phishing emails and income tax scams. One tactic is to mask malware with something as routine as an invoice or shipping notice. Brandjacking, where malicious emails impersonate recognized brands, also remains a popular tactic for phishers. Vendors like DocuSign are under constant attack by scammers (2017, 2018, 2019, 2020), who send spoof emails purportedly from the vendor’s e-signature service. DocuSign is a prime target for malicious and voluminous phishing attacks because of the widespread use of its brand across its e-signature service and email notifications. If these types of spoofing techniques end up reaching your end customers, it could lead to malware downloads (such as ransomware) and hackers exploiting the customers’ identity and personal information.

The same applies to business partners and employees. According to a 2018 Threat Report from eSentire Threat Intelligence, having Facebook credentials compromised will impact your personal life more than anything; but “theft of DocuSign or Dropbox credentials could have serious impact on a business.” When credentials are re-used for multiple accounts in an organization, compromise of those credentials can have even more severe implications.

Protect Your Brand & Customers against Phishing Emails

As a business, you’ve invested a lot of money to build and promote your brand. Your brand matters, because it represents the essence of what your company stands for. A negative experience related to your brand can quickly lead to lost business, customer churn, and a negative impact on your company’s bottom line. The Human Factor Report describes advanced cyberattacks that focus on exploiting credentials. The figure below extracted from this report outlines the effectiveness of phishing emails that were based on web services such as DocuSign, OneDrive, and DropBox. Email click-through rates are alarmingly high. Each click means that the attacker is one step closer to obtaining and exploiting confidential customer information. 

phishing docusign

So, what can a company do to protect its customers and reputation? As a digital security company that has prevented billions of dollars in potential fraud, we understand the importance of ensuring your consumers have a trusted journey through the entire digital transaction. The advice we give to our customers is to white-label the entire e-signature experience. You should be able to put the spotlight on your brand to ensure an uninterrupted transition between your branded application and the e-sign application. Industry best practices have shown that a seamless, fully branded transaction reinforces customers’ trust and encourages high adoption rates. 

If you’re using an e-signature solution where the vendor’s logo and brand are a prominent part of the e-signature experience, your consumer will logically create an association between your company and the e-signature vendor. If the vendor experiences a security or data breach such as the DocuSign breach, even though it is completely unrelated to your business, it can have a spillover effect that affects your company by association. Furthermore, a vendor-branded e-sign experience puts your signers at risk. When a client of yours is the recipient of a phishing scam, its main goal is to exploit their identity and personal information. If successful, it will impact their trust in your business and can cause them to rethink their relationship with you.

Cronto Transaction Authorization

Combat social engineering attacks and mitigate human risk in banking transactions

Learn about the latest social engineering attacks and how cybercriminals exploit vulnerabilities in the transaction authorization process for account takeover. Minimize risk with industry best practices and technology recommendations.

Download the Social Engineering eBook

Decrease the Vulnerability of Attacks with White-Labeling

When evaluating e-signature solutions, make sure that your vendor has your best interests at heart and is invested in your success. If a vendor won’t permit you to keep the focus on your brand, consider that a red flag. Unlike other e-signature providers that insist that their brand is front and center within your application, OneSpan Sign enables you to fully white-label the experience – keeping the entire focus on strengthening your brand. Whether your signing experience is initiated via an email notification or directly within a web portal or mobile app, OneSpan Sign lets you white-label every aspect of the e-signature process. This is the #1 thing you can do to protect your brand and your customers, and deter sophisticated scammers from making you their next target. Look for an e-signature provider that enables you to:

  • Integrate with your own email servers to allow emails to be sent from your domain (e.g., instead of theirs (e.g., sent via [insert vendor name])
  • Customize the content and look-and-feel of email notifications
  • Customize the colors, logo and the visibility of elements such as headers, navigation bars, footers, etc.
  • Customize dialog boxes and error messages

Multi-factor Authentication (MFA)

In addition to white labeling, businesses should never overlook security measures such as multi-factor authentication. According to a Google survey, this is one of the top ways that security experts protect themselves online. MFA requires that people prove their identity using two or more verification methods before they can be authenticated and given access. In this way, if one factor is compromised or broken, the attacker still has at least one more barrier to breach before breaking into the target. When it comes to phishing, properly implemented MFA methods are a much stronger deterrent than single-factor username and password. 

Today, there are many MFA options that strike a balance between security and usability. In addition to the traditional one-time password (OTP) hardware tokens, mobile options such as fingerprint scan and facial recognition are easy to use, making the authentication experience frictionless. Other MFA methods for mobile include one-time passwords delivered through a mobile authenticator app or SMS message. As a market leader in multi-factor authentication, we can help you understand which options are best for your unique needs and users. 

To learn more about e-signature security, read our report on Security and Trust: Best Practices for Implementing Electronic Signatures.



Dilani Silva is a Product Marketing Manager at OneSpan. In her role, she manages and executes the go-to-market strategy, positioning, messaging and sales enablement for OneSpan’s e-signature solution, OneSpan Sign.