The internet is a great place but unfortunately, there are always rotten apples like phishers and scammers targeting our money or information.
In order to protect yourself and your Draft account, we've prepared security guidelines you can follow to stay safe.
Common cyber dangers
Emails appearing like they're from a recipient you know (e.g. your friend's email address is [email protected], and a scammer is trying to mimic it by using [email protected])
Emails that contain a password-protected or an .exe file (these can't be scanned by Gmail, CRMs, and others)
Incoming calls or emails asking you to verify a password, email, name, address, and other information other than your first name
Facebook, LinkedIn, Instagram, Twitter, or any other type of message from anyone asking for some info or for you to do something
Redirects from emails, slightly mistyped website URLs, websites that don't display the padlock (HTTPS) in the top left
To stay safe without feeling like you have to constantly be on guard, it's good to adopt the following best practices.
How to protect your Draft information
1. Don't share your login information with anyone
Don't share your login information with anyone. Use a password manager to store and encrypt it.
2. Use 2-Factor Authentication for Trolley
Please enable and use 2-Factor Authentication for our payment processing software.
Remember to never provide information such as bank account numbers, CVC, etc. via email.
3. Be careful with external links
We scan every brief attachment. However, be careful when accessing other links such as Google links, website links, etc.
Make sure to never download anything on your device if it hasn't been scanned first, or if you haven't verified provenance.
On websites, look for the "padlock of trust" (in the address bar in Google Chrome) signifying that the website is encrypted by the HTTPS protocol. Don't enter your personal information, and don't download any password protected or .exe files.
4. We'll never email you about sensitive information
We may email you about jobs and to notify you of issues to resolve, updates, and similar, but we'll never directly ask you to provide sensitive account information.
If you receive an email seemingly from Draft that you're not sure about, please log into your app and use the live chat button in the bottom right corner to reach out to our support team and verify that we've sent you that request for information.
We'll never reach out to you other than via live chat, email, or a scheduled meeting we've cleared with you first, regarding your account. If you're being asked for your Draft-related information elsewhere (e.g. LinkedIn), please flag it for us via live-chat.
5. Be careful when asked about Draft
If someone reaches out to you asking about Draft (commonly on LinkedIn if you're publicly displaying that you work with us), be careful.
You can share your referral link with them or provide them with advice, but:
Don't open any attachments
Don't share login information
Don't respond to requests offering compensation in exchange for performing actions for a third-party or performing actions for them on your account (common phishing issue)
Consider making your profile private, as well.
How to protect your information on the internet
1. Don't reuse your passwords - use password managers
Password managers can generate nonsensical passwords (strings of letters, numbers, and characters) and store it for you so you don't have to write them down.
If you're not using a password manager, don't reuse your passwords for more than one tool.
2. Verify the provenance of emails and calls asking for information or sending attachments
If you receive an email asking you for information or sending attachments, check the 'Sender' field in your email client.
Verify that there are no differences between the sender you are expecting and the sender you're seeing.
If you're receiving attachments, make sure they've been scanned by your email client.
If they haven't, use the email address you've stored to reach out to the sender and verify that it's them sending you information. Consider hopping on a quick call with them just to double-check.
3. Use 2-Factor Authentication
Wherever possible, use 2FA to receive codes to your phone or via an authenticator app on your phone. This is particularly important for websites and services that handle your financial information.
4. Consider encrypting your devices and using VPN
Encrypt your devices to make sure that, even if your devices are stolen, your data and identity remain safe.
The following guide from spreadprivacy.com explains how to do this on Windows 10, Mac, Android and iOS.
If you're working from a cafe, hotel, library, or basically anywhere other than your home network but perhaps even then, use a VPN. This ensures that any information you are sending or requesting can only be accessed by you.
All of your traffic is encrypted this way and prevents anyone from skimming data as you connect to that handy free WiFi hotspot. This isn't just for your laptop either, this is something that's also important on your mobile devices too.
5. Register your emails with https://haveibeenpwned.com/
In the event of a data breach, this service will notify you if your email has been compromised so you can change your password and perform other required actions.
When in doubt, double-check! If you think something suspicious is going on with a client, Draft, or other people, on the platform, or outside of it, please reach out to us. Our security and support teams are here to help you stay safe.