Phishing Alert: Scams Utilizing “Secure” Document Services, e.g. DocuSign

Some U-M community members reported receiving this email. It is fraudulent or malicious. Do not respond, click any link in it, or provide personal information or money. See Phishing & Scams for more tips. If you need help, contact the ITS Service Center.

Date Sent: 
Friday, November 3, 2023

Description

A threat actor sends an invitation to access a “secure document” using a legitimate secure document service, such as DocuSign. The document instructs you to click a link that takes you to a fake login page, which is designed to look like a legitimate one. If an individual enters credentials into the login page, they are received by the threat actor and can be used fraudulently.

In similar scams, a threat actor sends a document, e.g. “invoice”, through a legitimate service such as Paypal with instructions to call a telephone number for customer service assistance. If you call the number, they lure you into providing personal information under the guise of assisting you. They may ask to screen share with you online as another way to steal information.

How to Protect Yourself

  • Be suspicious of emails sharing documents that you aren't expecting. If you aren't sure, contact the sender (preferably via text message, phone, or an alternate email address) and ask if they shared a document with you.
  • Do not assume that emails sent using legitimate, secure services are legitimate in their intentions. These types of scam emails are not detectable by email scam filters because they are sent using legitimate services and the link that lures you into providing information is in a document.
  • Pay attention to the details and look for red flags such as:
    • The document is unexpected or it contains information you do not know about. It may also contain very little information. The purpose of the document is to get you to the next link – referred to as “laundering the link.”
    • If you access the document, it asks you to click a link to login with your credentials. Before entering your UMICH (Level-1) password on a web page, check that the page's web address/URL begins with https://weblogin.umich.edu/. 
    • If you access the document, it asks you to call a telephone number for further assistance. It is unusual for a legitimate service to only offer the option to call a telephone number.
    • You are asked to screen share or download software. To verify the legitimacy of a request, you can end the call and contact the company or institution using its published contact information.

Report Suspicious Email

Google at U-M users can forward phishing email to [email protected]; include what Google calls the original message. Michigan Medicine Outlook/Exchange users can use a Report Phishing button. For details, see Report Phishing & Email Abuse. Report other suspicious requests or prompts by sending a description of your experience to [email protected].

If You Get Caught

If you gave personal information in response to a phishing email or on a suspicious webpage, your account may be compromised.

  • Change your UMICH (Level-1) password and follow the instructions at What to Do if Your Account is Compromised.
  • Carefully review any online account that became vulnerable as a result of responding to the email.
Phishing Email or Site Screenshot: 
Screenshot of fake U-M login page with incorrect url circled. U-M's real login url begins with https://weblogin.umich.edu/.