DocuSign Alert Summary
As a part of our commitment to providing excellent service to our members, Spirit of Alaska Federal Credit Union has used DocuSign, a company that allows us to collect signatures on mortgage loans from members who are not able to come to a branch.
Unfortunately, DocuSign has acknowledged that a breach of one of its computer systems, which hosted user email addresses, has allowed attackers to target and spoof (definition) DocuSign customers with fake emails. No other information was breached, solely email addresses.
There is a real possibility that Spirit of Alaska member’s email addresses are involved in this breach. These type of spoofed emails are known as a “phishing” attack. The sender email’s address is often masked and changed to a familiar or trusted address to complete the deception.
Example of the spoofed email:
What You Can Do in Response
Refrain from clicking any links or opening any attachments in a DocuSign email.
Please VERIFY with our Mortgage Department the legitimacy of any email you receive claiming to be from DocuSign. Contact us at 907-459-5974 or email@example.com.
If you are expecting a document to sign:
Access your documents directly by visiting docusign.com and entering the unique security code included at the bottom of every legitimate DocuSign email.
If you are NOT expecting a document to sign:
If you receive an email from DocuSign, please notify us at firstname.lastname@example.org immediately. In addition, DocuSign is asking people to forward any suspicious emails related to DocuSign to email@example.com, and then to immediately delete the email(s).
More information on the spoofed emails
Malicious emails are being sent to breached addresses using DocuSign branding in the headers and body of the email. Upon clicking to “View Documents”, the email downloads a Microsoft Word document that harbors malware.
According to DocuSign, “[emails] may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings, contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net.”
DocSign says it will never ask recipients to open a PDF, Office document or ZIP file attached to an email.