You may be wondering why you are seeing an increase in weird DocuSign emails in your inbox lately. We've been seeing that and other digital signature service themed emails en masse lately, too.
In short, it's due to automation.
In addition to a simple web interface, DocuSign and many other online signature services provide users with an API for automating workflows. APIs allow services from different vendors to communicate and automate workflows for efficiency.
Imagine you are a national or global brand and need signatures from your clients regularly. You could be a bank, an investment firm, an insurance carrier, or some other financial service. If you had to get these signatures by paper, it would take weeks or months. Digital signature software allows that to be automated, but initially it still required a human to input the details and documents to sign. This is how we do our service and project agreements, but we only have one at a time.
Now imagine if you had thousands of these daily. How many people would it take performing the monotonous task of uploading forms, adding email addresses, and designating signature blocks?
This is where APIs provide great power. These large companies can automate the process by designing software on their side to be more efficient with their workflows. They won't need to go through all the steps to upload the file, add the email address, designate the signature blocks, etc. They can just click on a list of customers and then tell the software to "Send Form XYZ for signature". Thousands of signatures sent by one person in the span of a second instead of hundreds of people across several days.
At this point, you can probably see why the amount of phishing attacks using DocuSign and other digital signature services has risen sharply. With great power comes great responsibility.
These digital signature services, in an effort to be user friendly and easy to setup, often do very little validation up front during account setup. Anyone can sign up for the service, for purposes good or bad. And when the baddies use the service, the service provides some level of legitimacy to the phishing email.
So unfortunately, we now have to treat all DocuSign and other digital signature emails as suspect.
What's that phrase we say all the time? Ahh yes, "Think before you click!"
- Are you expecting this?
- Is this someone you do business with?
- Can you call them and confirm before clicking?
Fortunately for our clients, our filtering software is pretty good about spotting these and pulling them out for our review. In almost all cases for them, they are phishing. I'm pretty sure we don't have any clients who are signing hundreds of disparate documents on a daily basis.
If we aren't already on your team, give us a call. We'd love to chat.
