Written by Paul Smart
Account Representative, Nex-Tech

You know how some words get thrown around so much that they start to lose all meaning and become background noise? That’s how “cybersecurity” has felt for a while to a lot of people. We’ve started to become numb to it because attacks are so frequent and the media talks about it nonstop, but it’s just as real as it’s ever been, and the bad guys keep leveling up.

With the evolution of artificial intelligence (AI), Business Email Compromise (BEC) attacks have become more sophisticated and harder to spot. Think “professional con artist,” not “Nigerian prince with a typo budget.”

Now, I’m a pretty smart guy (pun intended by my name), but I’d be hard-pressed to catch something like this unless there were strong protocols we were actually required to follow. In this case, the only way I can see it being caught is to call the law firm using a verified number (for example, one you already have on file, or one you look up independently) and confirm they sent the request. Yes, it’s inconvenient. So is fraud. Remember, these weren’t the usual poorly worded, obviously suspicious scam emails you’ve learned to ignore.

They came from the real DocuSign, passed authentication and matched real business workflows. The failure point wasn’t technology, it was trust. And trust, unfortunately, doesn’t come with a spam filter.

WHAT TO DO WHEN SOMETHING FEELS OFF

CONFIRM BEFORE CLICKING. If you receive an unexpected DocuSign, Adobe Sign or other document request, confirm it’s legitimate before opening or clicking anything. Even if it looks real.

CALL A NUMBER YOU’VE VERIFIED OR USED BEFORE. Don’t use contact information provided in the suspicious message. Look up the company’s number online or use one already on file.

BE CAREFUL WITH PAYMENT REQUESTS. If a vendor sends a new payment portal or says you have an outstanding balance, call to confirm before making a payment.

TRUST YOUR GUT. If something feels even a little bit off — the wording, the request, the sender, the circumstance, the urgency — stop and ask a colleague or supervisor to review it before responding.

REAL PLATFORMS CAN STILL CONTAIN REAL SCAMS. Scammers are now using legitimate tools, like DocuSign or even your vendor’s actual email account. That means a message passing your security filters is no longer proof that it’s safe.

So, what does this mean? Even though we’re all tired of hearing about cybersecurity and awareness training, the consequences of not paying attention are very real. Topeka has already seen serious cyber threats in government and health care over the last few years, and that doesn’t even count the massive number of small businesses that have had their email and social media accounts hacked. How many people do you know who’ve had to send the dreaded “Please disregard” email (or post “Do not reply to any messages from me”) because their account was taken over?

There are other ways companies get attacked, too. Imagine one of your smaller vendors doesn’t pay attention and their system gets compromised. Because the bad guys can see what’s happening in their inbox, they can figure out who the invoices go to and what the emails are supposed to look like. Then, using your vendor’s real email account, they send a message saying you haven’t paid your bill and you can use this “new payment portal” to get caught up so deliveries don’t get interrupted. It looks legitimate and comes from the right person. It also arrives at the exact moment your brain is thinking, “Please don’t make me deal with this today.”

This email is from a company you already work with, from the person you normally work with, for products you normally buy. Again, the best way to stop something like this is to verify: call the company using contact information you already have (or look it up independently) and ask whether the new portal is legitimate. If nothing else, it’s a great excuse to make a quick phone call instead of starting your day with an unexpected disaster.

All the cybersecurity tools in the world can’t prevent attacks like this because these aren’t “fake emails.” They’re real messages sent through real platforms. These are situations where strong security awareness training helps, prompting people to pause, verify and ask questions when they aren’t 100% certain. Even basic scam emails can look good with AI, and it only takes seconds.

Bottom line: Employers, make sure your staff is getting the best training available. Consider rewarding people who take it seriously, because positive reinforcement works better than doom-scrolling and is cheaper than dealing with a breach.

As for employees, please don’t let all the videos and “gotcha” test emails numb you to what’s really going on. No matter how many software tools are used to keep your job safe, only humans can prevent “human error.” If it feels even a little off for any reason, stop and ask for someone to take a look.