Business Email Compromise (BEC) attacks continue to exploit trust with legit-looking “Review and sign” emails from platforms like Adobe/Acrobat Sign. In a recent case, a public signing link led to risky sign-ins from hosting and anonymized IPs across multiple cities. Rapid response contained it—but prevention is even better. Here’s a simple, company-wide playbook anyone can follow to stop these lures before they become incidents.

 

 

The 4 Golden Rules (memorize these)

  1. Do not click links.
  2. Do not open attachments.
  3. Especially do not open on your phone.
  4. Verify by phone using a known-good number—not any number in the email.

If you already clicked or opened something:

  • Report immediately to ticket@impresscomputers.com.
  • If it’s urgent (emails going out from your account, SharePoint/access issues), call 936-931-7977.

Why “Review and Sign” Emails Are So Effective

  • They look routine: Everyone signs documents.
  • They borrow trusted brands and logos.
  • They add urgency: “Access expires” or “Please sign today.”
  • Public links can appear legitimate but still route you to credential prompts or trick you into approving MFA.

Real-World Red Flags to Watch

  • Sender anomalies:
    • Slightly altered address, unexpected sender, or an odd forward chain.
  • Link/attachment pressure:
    • “Click to view,” “Sign immediately,” or requests to bypass normal login steps.
  • Mismatched context:
    • You weren’t expecting a document; content is vague (“Please review” with no details).
  • Technical tells:
    • Long, unusual “public” signing URLs.
    • Login pages requesting Microsoft 365 credentials outside normal Microsoft domains.
    • Unexpected MFA prompts or sign-in locations you don’t recognize.

Why Mobile Makes It Worse

  • You can’t hover to preview links.
  • Small screens hide domain details and warnings.
  • Swipe habits lead to accidental MFA approvals.

How to Verify Safely

  • Do not reply to the suspicious email to confirm—you might be talking to the attacker.
  • Do not call the number in the email.
  • Instead, call the sender using a known-good number from:
    • Your contacts/company directory
    • The sender’s official website
    • A previous legitimate email thread you trust (header info you know is clean)

What To Do If You’re Unsure

  • Stop interacting with the email.
  • Verify by phone using a known-good number.
  • If it still feels off, report it to ticket@impresscomputers.com.
  • If there’s urgency (outbound emails, SharePoint/access issues), call 936-931-7977.

If You Clicked or Entered Credentials

  • Report immediately to ticket@impresscomputers.com.
  • For urgent impacts, call 936-931-7977.
  • Be ready to reset your password and re-register MFA if IT requests it.
  • Share any unexpected MFA prompts you received so IT can investigate.

MFA Safety: Avoid “MFA Fatigue”

  • Never approve unexpected MFA prompts.
  • If prompts repeat, deny and report immediately.
  • Check number-matching and location info carefully before approving.

A Quick Incident Snapshot (What We Saw Recently)

  • A document-signing email was forwarded internally.
  • Minutes later, sign-ins succeeded from hosting/anonymized IPs in Phoenix, Atlanta, and Ashburn.
  • Automated rules forced sign-outs and password resets; no malicious mailbox rules were found.
  • The supposed sender later confirmed a vendor-side compromise.

Printable Checklist for Your Desk

  • Stop:
    • Unexpected “Review and sign” or attachment? Pause.
  • Check:
    • Were you expecting it?
    • Does the sender and context match exactly?
    • Hover links on desktop; on mobile, do not open.
  • Don’t:
    • Don’t click links.
    • Don’t open attachments.
    • Don’t approve unexpected MFA prompts.
    • Don’t reply in the same thread to verify, and don’t call numbers in that email.
  • Do:
    • Verify by phone using a known-good number.
    • Report to ticket@impresscomputers.com.
    • Urgent? Call 936-931-7977.
    • Follow IT instructions for password/MFA resets.

FAQ

  • Is it safe if the email looks like Adobe/Acrobat Sign?
    • Not by itself. Attackers mimic trusted brands. Verify first.
  • Can I open it on my phone just to check?
    • No. Mobile hides critical details and increases risk.
  • What if I already approved an MFA prompt?
    • Report immediately; IT will force sign-out, reset your password, and re-secure MFA.
  • Will I get in trouble for reporting a mistake?
    • No. Fast, honest reporting limits damage and helps protect everyone.

Call to Action
Share this post with your team, print the checklist, and remember the four rules. When in doubt, don’t click—verify and report.

Reporting and Help