Threat Alert: DOCUSIGN-THEMED Phishing Emails Steal Google Credentials

• A series of phishing attacks is using Docusign-themed phishing emails to steal Google credentials.
• The phishing emails impersonate a Docusign email alerting the recipient to a document ready for review and signing.
• Following the “Review Document” link first leads to a fake CAPTCHA asking the user to complete a simple math problem. This is likely intended to make the user think the web page is safe.
• After completing the CAPTCHA leads the user to log into G Suite. Entering credentials on this page leads to credential theft.
• While the G Suite login page looks legitimate, the page’s URL is not associated with Google.

Key Action: Report Suspicious Emails 

• Go beyond surface clues. Familiar logos, branding, and names are not automatic indicators that an email or website is safe. Cybercriminals often imitate well- known organizations.
• Be aware of potential lookalike web pages. When logging into an online service, always look for signs of potential web page impersonation. Be sure to check the URL carefully. G Suite is not associated with a .ru top-level domain.
• Be cautious of clicking on URLs, particularly in unsolicited or unexpected emails. Instead, always navigate to a website directly through a known URL or a trusted bookmark.
• Report ANY suspicious emails received in your UCSF email box using the Phish Alarm button.