Security Success Story

Roger Thornhill* is an Accountant and Franchisee Consultant with Midwest Bar Accounting, where he has worked for 14 years. Roger specializes in bar and restaurant accounting, advising not only small owner-operators, but also large multi-location chains. “It’s like Restaurant Impossible for accounting nerds,” jokes Roger. “I help owners make smart, strategic financial decisions based on the hospitality industry’s best practices.”

Like hundreds of organizations, Midwest Bar Accounting utilizes DocuSign to manage electronic agreements. In fact, according to a survey by Statista, DocuSign dominates the electronic agreements market with 77.64% of market share. Cyber terrorists recognize the prevalence of DocuSign and manufacture phishing campaigns to trick users into unwillingly surrendering their private credentials.

Roger exchanges DocuSign documents daily with clients and prospects, including engagement letters, business associate’s agreements, and tax forms. A few weeks ago, while anxiously awaiting a signed engagement letter from a new client, Roger received an email asking him to log in to DocuSign. Though unusual, he thought nothing of it, moved too quickly, and clicked on a link in the email. The link brought him to a webpage that looked like the DocuSign site. He entered his username and password – and then immediately felt regret.

“Do you ever have that sinking feeling that you know you’re doing something… and it doesn’t feel quite right… and you do it anyway?” admits Roger. “I guess I was just working too fast.”

Roger fell victim to a two-part credential grabbing attack. While the first part was temporarily successful, Dynamic Edge’s OS System Protection stopped the second part immediately.

First, credential grabbing attacks use phishing, a type of social engineering in which malicious emails or websites trick users into revealing their personal data. According to Digital Information World, there were 30 million such attacks in 2022! Once criminals capture usernames and passwords, they attempt to log into the most common websites (Microsoft 365, the big banks, etc.) to steal additional info, ask for a ransom, or simply steal money directly. In this case, a cyber terrorist created an email made to simulate a DocuSign authentication request. When Roger clicked through the request, he arrived at a fake DocuSign webpage designed to capture Roger’s legitimate credentials.

Second, when Roger visited the fake DocuSign webpage, a piece of keylogging malware attempted to install itself “behind the scenes” on Roger’s laptop. Dynamic Edge’s OS System Protection stopped it immediately and alerted Roger to the malicious attempt with a pop-up message.

“As soon as I received the warning on my desktop, I knew I better call the Help Desk,” Roger says. “I told them I’m pretty sure I just gave my password away.“

Roger called Dynamic Edge and an engineer took over immediately, isolating Roger’s machine from the rest of the Midwest Bar Accounting network. They scanned Roger’s machine for malware. Then, they forced a password reset for all of Roger’s network credentials, including DocuSign. Then, they scanned the entire Midwest Bar Accounting network to confirm that no malware had traveled between devices.

“Although Midwest Bar Accounting uses enterprise-level spam protection and provides quarterly cyber security education training for its employees, anyone can fall victim to a similar attack,” says Kevin Wilson, Chief Information Security Officer (CISO) at Dynamic Edge and vCISO for Midwest Bar Accounting.

“Security works best in intertwined layers. In this case, the phishing email got past the spam filter and the employee himself, but OS System Protection alerted him that something was wrong.”

Fortunately, network scans did not identify any unauthorized downloads and Roger got back to work.

“I’m a little embarrassed that I fell for what now seems like a pretty obvious trick,” says Roger. “However, I’m relieved to know that our firm has invested in the solutions we need. Such a little mistake could have turned into a disaster.”

*Names changed to protect privacy.