Scam (?) hiding in Fido email

[nwsteve]

DW got an email from what initially looked like Fidelity this morning. Subject line read something like "pending document requiring signature". Had the Fidelity logo and color scheme. Email address of sender was different. Text of email indicated email was from DocuSign and was being sent at the request of Fidelity to complete "important document that was pending and would soon expire". At bottom of email was a link to "review document"
The request was a bit of a surprised as we had recently completed docs to authorize each other to trade the others tax shelter accounts. However to the best of our understanding this was completed a couple weeks ago.
We checked DW's Fidelity account directly and could not find any message relating to an unsigned doc. Called Private Client rep immediately who returned call fairly quickly after she completed scouring their system for such an outstanding doc. Of course, there was no outstanding doc requiring signature.
Rep had me send the email account to Fidelity's phishing group (phishing@fidelity.com).
Since we never linked to the doc cannot really share what all was on the doc but just guessing they was going to be a form requiring all kinds of personal information as well as signature. What the sender was gong to use the info is unlikely a good thing for any responder.
Hope this heads-up keeps all safe..

 

[braumeister]

The attached "document" could easily have been malware, even a key logger. Very glad you were wise enough to avoid that mess.

 

[ERD50]

Smart. My rule is NEVER click on links in emails (well, anything financial, or that would require a log on after you follow that link). As you did, just go to the site directly and log on.

I heard on the radio the other day, another 'tip' on looking for this or that to try to tell if an email is legit. No! The bad guys might have done a good job, so just don't do it.

-ERD50

 

[growing_older]

Just got an email from our local school district, warning that someone has been phishing with very realistic looking email about next year's assignment to schools that asks for personal information. They're everywhere.

 

[Gumby]

Got something similar from ersatz Amex today. As ERD50 says, just back out, go to the site and log on. Don't click the link in the email.

 

[Fedup]

I've heard from Mathjak that Fidelity caught somebody trying to sell his wife's password and account. I don't answer phone, click on email, not cell phone of anybody I don't recognize. It's best to be safe.

 

[Animorph]

I've had legitimate versions of the DocuSign email, for the same reason - I was added as an authorized trader on DM's account. In our case everything was handled electronically, no paper forms. I was expecting the email, followed the instructions, and everything was fine. Also, no data was asked for. That was already in the document to be reviewed. Just a signature was required, which is bad in its own way.

If it is something you are expecting it should be legit. If it is out of the blue it would be suspicious. But I'm not sure there is a way to do the DocuSign function without clicking on some links of the legit email.

 

[Souschef]

For the first time in a while, I just got an e-mail from a banker in Benin, wanting to split an $18 mil account with me.

 

[Winemaker]

Send $100 to me and forward the email to me. I will get back to you if it is legit.

 

[Hyperborea]

Another tool to use to help you figure out if an email is legit is to look at the raw email with all the headers. Most mail apps or webmail services will let you do this. The "From" field can be faked and you will need to look at the routing information. The email spec is from a simpler, less complicated, more trusting time in the internet's history.

Here's a simple introduction on how to do this.
https://www.arclab.com/en/kb/email/how-to-read-and-analyze-the-email-header-fields-spf-dkim.html

 

[SecondCor521]

But I'm not sure there is a way to do the DocuSign function without clicking on some links of the legit email.

One way would be for the company asking you to DocuSign something would be for them to ask you to log into your account, go to a secure message they sent you, then click on the link in the secure message.

 

[nwsteve]

One way would be for the company asking you to DocuSign something would be for them to ask you to log into your account, go to a secure message they sent you, then click on the link in the secure message.

This is standard procedure I have previously experienced with Fido in past

 

[redduck]

Another tool to use to help you figure out if an email is legit is to look at the raw email with all the headers. Most mail apps or webmail services will let you do this. The "From" field can be faked and you will need to look at the routing information. The email spec is from a simpler, less complicated, more trusting time in the internet's history.

Here's a simple introduction on how to do this.
https://www.arclab.com/en/kb/email/how-to-read-and-analyze-the-email-header-fields-spf-dkim.html

After reading all the posts so far in this thread, there's no way I'd click on the above link.

 

[Scrapr]

i just got a e mail from paypal showing a uber transaction. VERY realistic. Included several hot links. I was about to click. Then i realized it came to an alternate e mail that my uber & my Paypal are not registered on.

Usually you can tell because something is "off" in the e mail. This was cloned exactly like a Paypal site. Looking after the fact the "From" address was a bit funky.

That was close. If that had come to my registered e mail I might have been sucked in. I do go to a new browser window to log in though most of the time

 

[DrRoy]

My rule is NEVER click on links in emails (well, anything financial, or that would require a log on after you follow that link). As you did, just go to the site directly and log on.

+1

 

[audreyh1]

I have never gotten a Docusign document from Fidelity. I didn't even know they used Docusign. Do they?

Regardless, the only reason to get a Docusign notification is because you initiated some major account action somewhere else.

Please forward your email showing the full headers to Fidelity fraud department. They probably have an address fraud@fidelity.com.

 

[eytonxav]

I periodically get these email phishing schemes from various fake banks and credit card companies, and the phone call that there is a warrant out for your arrest. Have not seen the Fidelity one yet.

 

[target2019]

Email links, even when appearing genuine, should be avoided. At least take the time to hesitate, and let your mouse pointer hover over the link so you can inspect where it goes. Still, you should try to avoid doing this.

I have a relative, who I've never met in person. She is older, and is sending me links from facebook people she has met in regard to ancestry research. Warning, warning, warning!!!

 

[MichaelB]

Even legitimate email docs are often infected, I don't open them unless I can verify they are legit and I have a need. Same with unsolicited links.

Here's a case of a cyber-security firm falling victim - an employee opened a bad email doc. From Krebs on Security this morning https://krebsonsecurity.com/

On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

 

[target2019]

After reading all the posts so far in this thread, there's no way I'd click on the above link.

Ha, good one. I did look at the link, and it goes to arclab.com.
If you trust me, and go there, the page explains some of what goes on behind the scenes during the process.

The displayed arclab link was identical to the embedded link. It didn't contain mush else than a path to a web page. So I risked all.

 

[Tadpole]

I'm still wondering what I should do after something happened a couple of hours ago. I logged into Bank of America. Bank of America has this very irritating habit of generating a popover right after login. These are usually just promotions.

Today I logged into BoA and the popup said they were required to verify social security numbers. There was a grey box that, presumably, if you clicked on it, your social security number would appear and you could verify it. Beneath this box was a statement to the effect that BoA had greyed out the number to preserve my security. (How absolutely weird is that.) I didn't click on the box but rather chose the option that it was correct without looking at it.

BoA wouldn't let me close the popover without looking at my SS number but rather let me chose another option for finishing this later. As a sanity check I logged out and back in and the popover appeared again.

Everything in the bank account looks legit. Its https, the address box has the VeriSign approval and Trusteer Rapport which BoA issues says the connection is legit and is not suppose to allow a "man in the middle" of the connection. No alarms from Norton or Malwarebytes but they might not be able to detect this type of thing.

On the other hand, I don't really believe a bank would require you to expose your SS number online when they, themselves, do not think this is a good thing to do.

Very strange.

 

[braumeister]

If I were you, I would do one or both of these:

Clear the browser cache and log in to BOA again by actually typing the URL, not using a bookmark. Does that same popup appear?

Log in using a different browser, clearing its cache first if you've used it recently.

Good luck!

 

[easysurfer]

My email reader treats emails as plain text only. Then I can choose to read as html only if I choose to. I like that extra safety after having a keylogger in the past with a previous email reader.

 

[Tadpole]

If I were you, I would do one or both of these:

Clear the browser cache and log in to BOA again by actually typing the URL, not using a bookmark. Does that same popup appear?

Log in using a different browser, clearing its cache first if you've used it recently.

Good luck!

Followed your instructions. It's still there in IE11 and Firefox even after I clear the browser cache and type the web address into the address box. It looks like BoA might actually be sending this.

 

[Golden sunsets]

Followed your instructions. It's still there in IE11 and Firefox even after I clear the browser cache and type the web address into the address box. It looks like BoA might actually be sending this.

Are you using 2 party authentication with your BOA accounts? If not I would advise you to do so going forward. It's annoying but a good level of added security.