My friend Lisa called me last night, voice shaking. Someone had cleaned out her PayPal. Then her Amazon. Then they tried her bank. Three accounts in 40 minutes. The criminals never touched her passwords. They didn’t have to.

They had her email.

10 SIMPLE CYBERSECURITY RESOLUTIONS FOR A SAFER 2026

Think about what lives in yours right now. Bank statements. Medical results. Your retirement account, your mortgage company, every streaming service, every store you’ve ever bought anything from. And here’s the part that should stop you cold: every password reset link on the planet gets delivered straight to your inbox.

A criminal doesn’t need to hack your bank. They just need your inbox. One account. Every other door swings wide open. That’s not a flaw in the system. That’s how email was designed to work. And most people protect it with the same password they’ve been using since the Bush administration.

Nope. Not anymore.

Here’s how fast it actually happens

The criminal goes to your bank’s website. Click “forgot password” and type in your email address. The bank sends a reset link to your inbox. The criminal, already inside your email, clicks it, creates a new password and walks right in. Then they do it to your Amazon. Your PayPal. Your brokerage. Your health insurance portal.

Each account takes about 60 seconds. It’s less effort than ordering a pizza.

The FBI calls this account takeover fraud, and it cost Americans $2.7 billion last year alone. The part that should really bother you: 81% of victims said they thought they were “pretty careful” about security beforehand. (Their words, not mine).

BE AWARE OF EXTORTION SCAM EMAILS CLAIMING YOUR DATA IS STOLEN

Three moves. No excuses

1. Get a real password for your email right now.

If your email password is under 16 characters or reused anywhere else, change it today. I use NordPass ($1.43 a month) to generate passwords that look like a cat walked across my keyboard. You remember one master password. It handles the rest. That’s the whole deal.

2. Turn on two-factor authentication. But not the text message version.

Two-factor means even if someone steals your password, they still can’t get in without a second code. Good. But here’s what most people don’t know: SMS text codes can be hijacked through something called a SIM swap attack. A criminal calls your cell carrier, sweet-talks a customer service rep and transfers your phone number to their device. Now your “secure” text codes go straight to them.

Use Google Authenticator instead. It generates codes on your physical phone, not through your carrier. Go to your email account’s security settings and swap SMS verification for an authenticator app. Takes five minutes.

NEW EMAIL SCAM USES HIDDEN CHARACTERS TO SLIP PAST FILTERS

3. Audit every app connected to your inbox.

Every time you clicked “Sign in with Google” to access some website or app, you handed that app a key to your email. Some of those apps can read your messages. Some can send emails posing as you. I did this audit last year and found 34 apps with access to my Gmail. Thirty-four. Apps I’d completely forgotten existed, still holding a master key to everything.

Go here right now: myaccount.google.com > Security > Third-party apps with account access. Revoke anything you don’t recognize or actively use. Gone.

Your bank has a fraud department. Your credit card has zero-liability protection. Your email? Nobody’s covering that one but you.

Twenty minutes. Three moves. Lisa wishes she’d done it on a boring Sunday afternoon instead of a panicked Tuesday night.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Your inbox is either a fortress or an open door. There’s no in between. And unlike your front door, this one doesn’t even need a deadbolt. Just strong security.

Kim Komando is America’s Digital Goddess, heard on 510 radio stations nationwide. For more tips on staying safe online, visit Komando.com.

iOS 26.4 is here, and it comes with a bunch of small but notable updates. That includes a new Playlist Playground launching in beta in Apple Music, which uses AI to generate a song playlist — complete with a title, description, and tracklist — based on a text prompt.

Apple Music is also adding a new concert discovery feature, allowing you to find nearby shows featuring artists from your library, as well as new ones recommended by the app. Other updates include full-screen backgrounds for album and playlist pages, along with a new Offline Music Recognition tool that “identifies songs without an internet connection and delivers results automatically when you’re back online.”

Apple’s Family Sharing feature, which allows you to share Apple subscriptions with up to six other people, will now let each adult member add their own payment methods to make purchases (instead of just using the method belonging to the group organizer). Additionally, iOS 26.4 adds eight new emoji, including an orca, trombone, landslide, ballet dancer, and distorted face. It also improves the accuracy of its keyboard when typing quickly, according to Apple.

There are a few new accessibility features, too, including an update to Apple’s “reduce bright effects” setting that now minimizes flashes that occur when tapping on certain elements like buttons. Apple is making subtitle and caption settings easier to find as well, and says its “reduce motion” setting now “more reliably reduces the animations of Liquid Glass.”

Apple released its macOS 26.4 update as well, which introduces a new compact tab bar option in Safari and the ability to set charging limits from 80 to 100 percent to help preserve the lifespan of your device’s battery.

Most of us sign documents online without thinking twice. A quick DocuSign request appears in your inbox. You click the link, review the document and move on with your day. That convenience is exactly what scammers rely on. Recently, we received a message from a CyberGuy reader that shows how convincing these scams can look. In this case, the email appeared to come from a health licensing authority and asked the recipient to review a document tied to a professional license renewal.

Here is the email we received from Susie, a registered nurse in Florida who nearly fell for the scam.

“I am a Registered Nurse, and my bi-annual renewal is approaching. Last month, I received a surprising (at least to me) email with a document to DocuSign from the state Board of Health. It didn’t feel right, even though I have used DocuSign multiple times in the past. Those experiences were known transactions. I contacted the state board, and they confirmed that it IS a SCAM. I sent them screenshots, etc. and reported the message for phishing. I want to thank you, Kurt, because it was thanks to you that I questioned the veracity of this outreach. Reading the articles and tips you provide saved me a great deal of trouble. Thanks again, and all you nurses out there renewing your license, be wary.” – Susie C, Orlando, FL

Susie did exactly what security experts recommend. She paused and verified the message before clicking anything. That one step likely prevented a phishing attack.

SCAMMERS ARE USING DOCUSIGN EMAILS TO PUSH APPLE PAY FRAUD
 

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter

What the suspicious DocuSign email looked like

Susie also shared a screenshot of the message she received. At first glance, the email looks familiar. The blue layout resembles real DocuSign notifications. There is even a large yellow Review Document button. But one detail stood out immediately.

The email address sending the message was:
info.florida-department-of-health-email-notification@cc.ncu.edu.tw

That address has nothing to do with a U.S. state health department. 

Why DocuSign scams work so well

DocuSign is used by millions of businesses and government agencies. Because people expect these requests, they often click without hesitation. Scammers exploit that habit. A typical DocuSign phishing email tries to create urgency. It may claim a license renewal, a contract update, or a payroll form requires immediate action. Once you click the button, several things may happen:

• You may land on a fake login page designed to steal your email password.
• The site may prompt you to download a malicious file.
• The link may redirect you to several phishing pages.

In many cases, the goal is simple. Attackers want your email credentials so they can take over your account or launch more scams.

10 WAYS TO PROTECT SENIORS FROM EMAIL SCAMS
 

Red flags in the DocuSign scam email

A few warning signs can help you spot a fake request quickly.

Suspicious sender address

Always look closely at the sender’s domain. Government agencies rarely send messages from foreign academic domains like .edu.tw. That alone signals something is wrong.

Unexpected documents

Legitimate DocuSign requests usually follow a known interaction. For example, a contract you discussed or paperwork you expect. An unexpected document should always raise questions.

Pressure to act quickly

Many phishing emails include language that urges immediate action. The goal is to stop you from thinking. Take a moment before clicking any button.

Generic document descriptions

The message shown in the screenshot simply states that a document is ready to review. It provides no real context or explanation. Legitimate documents often include details about the transaction.

How clicking the link could compromise you

Many people assume they will recognize a fake page. In reality, phishing sites look very convincing. Some scams even use cloned DocuSign pages. Once victims enter their credentials, attackers gain access to their email accounts.

From there, criminals can:

• Reset passwords for financial services
• Send phishing emails to contacts
• Search inboxes for sensitive documents

In healthcare professions, that risk can also expose licensing information or patient-related communications.

APPLE APP PASSWORD SCAM EMAIL WARNING
 

Ways to stay safe from DocuSign phishing scams

Fortunately, a few habits can dramatically lower your risk.

1) Verify the request separately

If a document claims to come from a government agency or employer, contact them directly using a known phone number or website. Never use the contact information inside the suspicious email.

2) Hover over links before clicking

Move your cursor over the button and check the destination link. If the URL looks unfamiliar or unrelated to DocuSign, do not click it.

3) Don’t click links and use strong antivirus software

If an email seems suspicious, do not click the link or open any attachment. Strong antivirus software can help block malicious downloads, warn you about dangerous websites and catch threats before they spread across your device. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com

4) Use a data removal service

Scammers often gather personal details from data broker sites and public records to make phishing emails seem more believable. A data removal service can help reduce your exposed information online, which may make it harder for criminals to target you with convincing messages. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.  

5) Access documents through official accounts

If you regularly use DocuSign, sign in directly at the official website and check your pending documents there. That approach avoids email traps entirely. 

6) Report phishing attempts

Forward suspicious messages to your organization’s security team or the Federal Trade Commission phishing reporting system at ReportFraud.ftc.gov. The FTC also advises forwarding phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org. Reporting scams helps protect others from the same attack.

Kurt’s key takeaways

Scams succeed because they blend into everyday routines. Signing documents online has become normal for work, healthcare licensing and financial paperwork. That convenience also gives criminals a perfect disguise. Susie’s story shows how a small moment of doubt can stop a phishing attack before it begins. A quick call to the licensing board revealed the truth. The message was never legitimate.

Now the question is one every reader should consider. If a DocuSign email arrived in your inbox right now, would you notice the warning signs before clicking the button? Let us know by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter 

Copyright 2026 CyberGuy.com.  All rights reserved.