DocuSign educates staff on phishing
Fraud Prevention

How DocuSign Keeps Phishers From Hooking Their Data

Phishing is an enormous fear for businesses, with attacks accounting for 90 percent of data breaches. It’s an especially pertinent concern for DocuSign, which processes nearly 800,000 authorized documents every day, making it a prime phishing target. In this month’s Digital Fraud Tracker, Emily Heath, DocuSign’s chief trust and security officer, tells PYMNTS how the company deploys threat intelligence and employee awareness to protect itself and vulnerable user data that could be ruinous if exposed.


A successful phishing attack is among many businesses’ worst fears. Fraudsters who gain access to employees’ login details can cause untold amounts of damage, including emptying corporate bank accounts and exposing terabytes of customers’ personal information to the entire internet. Compounding this fear is the ease with which fraudsters can conduct these attacks. Sending out thousands of attempts every minute is simple, and it only requires one employee to unwittingly play into hackers’ hands for fraud to take place.

“Phishing is always the number one cause of [security] incidents, not only for DocuSign, but also for every other company I've ever worked for,” Emily Heath, chief trust and security officer for electronic signature provider DocuSign, noted in a recent interview with PYMNTS.

DocuSign has more than 500,000 paying customers and processes hundreds of millions of electronic signatures annually, making it a prime target for phishers looking to exploit personal information. The company leverages both threat intelligence and employee awareness to keep it, its workers and its customers safe and believes that understanding fraud is a significant component to combatting it.

Tracking Phishers’ Angles

Phishers targeting DocuSign are typically after users’ credentials, such as usernames, passwords and other identifying information, according to Heath. These details can be used to either log into employees’ DocuSign accounts or leveraged for hacks on other websites.

“Human nature tells you that normally people use very similar or the same passwords [on] multiple [sites], so [the fraudsters] will try credential stuffing [on] a number of different sites, including bank [websites],” she said.

Phishing attacks often take one of two forms, Heath explained. The first consists of links to fraudulent websites, inviting users to enter their usernames, passwords or other credentials. These sites’ interfaces are nearly indistinguishable from the legitimate login screens that users are used to but lead nowhere and send entered credentials directly to the schemes’ perpetrators.

The other major type of phishing email tricks users into downloading an attachment that installs malware on their computers. This accomplishes the same objective as the fraudulent link — stealing login credentials — but grants even broader access to victims’ systems, enabling bad actors to pilfer all saved passwords, rather than just the one entered.

Protecting against these attacks is a top priority for DocuSign as just one slip up could spell disaster for the victimized staffer as well as the entire company.

Knowing Is Half The Battle

DocuSign guards its staff against phishing with a two-pronged approach, the first of which is a thorough understanding of the potential threats. The company has a dedicated team of security professionals that scours the dark web for phishing attacks and other potential security issues, allowing DocuSign to determine problems and proactively formulate strategies.

“We have both open source and subscription-based threat intelligence feeds that give us information on the types of phishing activities and malware campaigns that may be out there,” Heath said.

Threat intelligence is especially important in determining the source of the threat as phishing attacks can vary in execution and data based on who is conducting the schemes. The challenge lies in identifying the exact culprit in a sea of lookalikes.

“You could have two phishing emails side by side, but they look exactly the same,” she said. “One of them could be sent from the Chinese nation-state and the other one could have been sent from Joe Criminal sitting in a Starbucks. Although they look the same, the intents and the consequences of those attacks are very different.”

Determining the attribution of the phishing attack helps DocuSign not only figure out how to stop it, but also make informed predictions about how the phisher will attack next.

Smarter Employees Are Safer Employees

Threat intelligence is only half the equation, however. Employee education is the other key component to DocuSign’s anti-phishing efforts, but this does not just involve best practices and classroom instruction. The company also conducts simulated, quarterly campaigns that test employees’ abilities to identify phishing emails and bring them to security experts’ attention.

“Sometimes employees get a little upset that we're doing simulated phishing exercises, but if anybody's talking about security, that's a really good thing,” Heath said.

These campaigns test employee awareness of phishing and provide DocuSign’s security staff with valuable insights and data. The team monitors the click rates of these phishing drills, which grants insights into the efficacy of its education efforts on an office and departmental level.

“If we see, for example, that the Tel Aviv office has an increase in that click rate, then perhaps it tells us we need to focus some additional education and awareness campaigns for that team,” she explained. “But, if we see the human resources team has gotten a lot better, then perhaps we might want to reward that.”

Employee education has grown difficult as phishers become more sophisticated in their techniques, however. The best practices of the past do not always cut it in the modern phishing environment.

“A few years ago, the attackers would commonly have spelling mistakes and we would educate people about that,” Heath said. “But now they're getting a lot slyer, and it's almost as if they've integrated design into it themselves because a lot of these emails are just so well written. So, the education has to go a step further as to inspire curiosity.”

Recipients should consider whether they actually expected an email from the sender, for example, or look up the email address if they do not recognize it. DocuSign even encourages employees to call the sender on the phone if something is out of the ordinary, arguing that it is better to take up a few moments of someone’s time with a false alarm than unwittingly compromise the company’s entire network.

Businesses should keep themselves up to date on the best security practices for countering phishing attacks. The consequences of negligence, as seen in a host of recent data breaches, are nothing short of catastrophic.



The September 2020 Leveraging The Digital Banking Shift Study, PYMNTS examines consumers’ growing use of online and mobile tools to open and manage accounts as well as the factors that are paramount in building and maintaining trust in the current economic environment. The report is based on a survey of nearly 2,200 account-holding U.S. consumers.