Threat actors target senior executives in sophisticated BEC ploys
Business Email Compromise (BEC) occurs when threat actors impersonate company executives to scam employees into sending confidential information or wire transfers to bank accounts controlled by criminals. Reportedly, hackers are taking advantage of a Microsoft Office 365 flaw that enables them to pose as an executive and send out fraudulent invoices and financial requests:
· Target receives a phishing email from a docusign.net email address that appears to be a valid signing request from DocuSign.
· Clicking the malicious link redirects to a fake Microsoft Office 365 login page.
· Entering the login and password sends the credentials to the attacker.
· Once access to the system is gained:
o Hacker monitors email threads
o Creates a fake domain that is very similar to that of the company – for example:
o Inserts themself into an existing email thread that typically involves a large financial transaction
o Hacker locates message in thread that contains payment details:
§ Replies indicating there is an issue with the payment system due to an ongoing audit that has frozen the bank account
§ Provides alternate payment information to re-direct it to account controlled by them
How to Detect DocuSign Phishing Attempts
· If you are not expecting a DocuSign request, do not open it. If you suspect it may be legitimate, contact the originator via a phone call or email to confirm.
· Procurement will advise if a DocuSign for a contract is being sent to you. Ensure the subject line of the email includes the Contract Workspace (CW) number from the contract summary email – for example, [E!] Complete with DocuSign: CW0580USA_ Agreement_Intact-USA_Contract.
· Do not open unknown or suspicious attachments or click links – DocuSign will never ask you to open an office document or zip file in an email. Please note in the final email you receive that states the envelope is complete, you may receive a completed PDF signed document as an attachment.
· Hover over all links to confirm they start with “https” and contain “docusign.net/”
· Access documents directly from DocuSign:
o Hand type the website address https://www.docusign.com/
o Double-click on Access Documents in the upper right-hand corner of the webpage
o Enter the unique security code that is included at the bottom of every DocuSign notification email
· ESupport@intactinsurance.com and to email@example.com.
REMEMBER – DO YOUR PART, BE SECURITY SMART!