In case anyone using DocuSign wants to warn their clients about this:
Many email providers include security filters which check emails for malicious links or attachments. Kingston Police have issued a release outlining a new way cybercriminals are bypassing these filters called “blank image phishing.”
“The scam starts with a fake email that appears to be from DocuSign,” Kingston Police explained. “The email asks you to review and sign a document as soon as possible and contains an HTML attachment. Instead of an important document, the attachment is a blank SVG [Scalable Vector Graphic – essentially an image file] with malicious code. Because this code is hidden inside the attachment, the email can bypass security filters.”
According to police, when a user downloads the attachment, the code will redirect to a malicious website that will prompt the user to enter sensitive information. “If you enter this information, cybercriminals can use it for their own purposes,” police said.
Honestly not surprising, I’d suggest all professional service businesses to not use DocuSign. That company’s main focus is to prop up their stock while providing lacklustre and expensively garbage services.
When I had first used them during the early pandemic, they would show the attachment of a client’s e-signature document in the email with no encryption. It ended up being a potential liability for my firm.
To make matters worse, they charge a premium to Canadian businesses if they wish to store their data on Canadian soil. Many businesses don’t even know they have that as a premium package, you have to ask it specifically. On top of that, if you want to store that data in Canada, it costs $1,500 for 500 envelopes! Best to support Canadian companies that know and understand Canadian privacy laws and are reasonably priced.