Skip to Content
man looking at his email on a laptop
Photo 74992581 © Weerapat Kiatdumrong | Dreamstime.com
Security & privacy

Before you sign a digital document in your email, read this

Be careful: That SVG file you just downloaded may be harboring a dangerous secret.

Cybercriminals are sending out emails masquerading as DocuSign notifications. Click and they may be able to steal your data using this new spin on one of the most commonly spoofed types of messages.

If you’ve ever tried to open an SVG file, you already know they’re not exactly like PNGs or JPGs. Here’s why you should exercise caution if you receive an email with HTML attachments that include them.

What is the Blank Image attack?

The fraudulent emails in question purport that you’ve got a DocuSign document to sign. In this case, it’s the enigmatically-named “Scanned Remittance Advice.htm.” Scammers use SVG vector images embedded in HTML attachments to bypass the security measures most email inboxes have enabled automatically. Tricky.

While the body of the message itself appears to be relatively harmless, opening the HTML attachment unleashes its nefarious payload onto your device. Instead of the XML data an ordinary SVG would contain, this file holds the attack’s script.

It’s almost impossible for most people to predict whether or not this hidden script exists within any attachment capable of hiding malicious code. So, what can you do?

Your best bet is to delete any DocuSign email that you’re not expecting. Never open HTML attachments that appear to be suspicious or unexpected.

If you’re an avid DocuSign user, ensure that you’re positive that any new documents to sign are legitimate. The same habit should apply to any other brand, of course. If you know you’ve got nothing new to sign, you know something “phishy” may be happening.

How to avoid becoming a victim

DocuSign isn’t the only legitimate brand being used to attack customers. In fact, something similar just happened with Zoom. Follow these simple tips to keep trouble at bay and your data secure:

  • Never open attachments from strangers or spam emails.
  • Always verify that an “official” email is being sent from the real company. Misspelled email addresses and domains, weird styling in the body of the email and fishy-sounding offers are all suspect.
  •  Use antivirus software to protect you from snoops and crooks automatically. Kim’s pick is TotalAV.

You can never be too safe online. Here are three dumb mistakes that you don’t realize are putting you at risk.

cryptocurrency e-book hero

New eBook: ‘Cryptocurrency 101’

Don't want to lose your dough to crypto? Check out my new eBook, "Cryptocurrency 101." I walk you through buying, selling, mining and more!

Check it out