DocuSign Phishing Scams

DocuSign's popularity as the go-to platform for electronic signatures makes it an attractive target for cybercriminals. By sending emails that appear legitimate, scammers aim to exploit trust and catch busy individuals off guard.

In a nutshell, DocuSign phishing emails mimic the trusted e-signature service, luring recipients with fake links to sign important documents.

How DocuSign-Themed Phishing Attacks Work

Phishers craft their schemes carefully, starting with emails designed to mimic official DocuSign communications. While these emails may not always perfectly mask the sender's address—since genuine DocuSign emails can originate from various sources due to customization—the intent is clear: to deceive recipients into revealing personal information.

Typically, the email claims the recipient needs to sign an important document, often financial in nature. In some cases, scammers include a PDF attachment with a QR code. Recipients are prompted to scan the code, allegedly to access the document. Instead, the QR code leads to a phishing website. By targeting smartphones, where phishing URLs are harder to spot, and security software may not be installed, attackers increase their chances of success.

Some phishing attempts might not mention DocuSign at all. Instead, the reference to DocuSign appears only within the attached PDF. This approach capitalizes on the victim's assumptions, leading them to trust the content without scrutinizing it closely.

Some scammers go as far as mimicking DocuSign's visual design, including security codes and references to Microsoft SharePoint integrations. The level of sophistication can vary greatly—from basic attempts to highly convincing replicas.

Common Themes in Fake DocuSign Documents

Phishers often design fake DocuSign emails around familiar or urgent topics; examples include:

· Too good to be true deals: Offers often involve large discounts or lucrative opportunities.

· Sight-unseen rentals or sales: Claims about rental properties, sales, or purchases without any in-person interaction.

Tech support or subscription renewals: Notifications falsely claiming to represent trusted companies, urging immediate action.
Loans or debt relief: Promises of financial aid or reduced debt requiring upfront payments.
Urgent or threatening requests: Emails that create panic through deadlines, harassment, or legal threats.
Job offers from businesses with little to no public information: Employment opportunities from businesses with little or no public information.
Economic or hardship leveraging opportunities (e.g. pandemic, investment): Scams that leverage crises like economic downturns, pandemics, or investment opportunities to sound plausible.

How Actual DocuSign E-Signing Works

Using DocuSign to sign a document is straightforward and user-friendly. Here's how it works for regular users:

Receive an Email: You'll get an email from the party requesting your signature. The email will prominently feature a big yellow Review Document button.
Access the Document: Clicking this button takes you to DocuSign's website (on the secure docusign.net domain) via a unique link. You'll see a short message from the sender and another large yellow Continue button.
Sign the Document: The document opens immediately—no passwords are required. You can review it, fill in any necessary details (like your name or date), apply your signature, and then click the Finish button. That's it! The process is simple, with no extra steps or complications.

What DocuSign Will Never Do

To help you spot phishing scams, here are a few things DocuSign notifications will never include:

PDF Attachments with Links: Legitimate DocuSign emails never include attachments. The Review Document button is always embedded directly in the email.
QR Codes Only: DocuSign provides links to access documents on any device. You'll never be forced to scan a QR code to sign.
Requests for Login Credentials: Signing a document doesn't require entering usernames, passwords, or other credentials. The unique link sent to you contains everything needed.
Mandatory Account Registration: While you may be invited to create a DocuSign account after signing, it's entirely optional.

How to Spot Imitation DocuSign Emails and Websites

Here are some key signs to help you recognize and avoid these scams:

1. Suspicious Links

Always access your documents directly from https://www.docusign.com using the unique security code in the email's footer. Before clicking any link, hover over it to verify the URL. Legitimate links are hosted on docusign.com or docusign.net. Beware of imitation links, as they can:

Redirect you to a fake website that collects your personal data.

Install spyware, enabling hackers to steal login credentials.

Trigger a virus download that could damage your computer.

2. Fake Sender Email Addresses

Scammers can forge email addresses in the "From" field. If you're unsure about the sender or weren't expecting a DocuSign email, verify its authenticity through a different communication channel.

3. Attachments

DocuSign emails never include attachments for signing documents. Attachments are only sent after all parties have signed, and they are always valid PDF files. Be cautious of any email attachments, especially zip files, HTML files, or executable files, which DocuSign never uses.

4. Generic Greetings

Legitimate DocuSign emails address you by name. Be wary of generic salutations like "Dear DocuSign Customer." However, also exercise caution with highly personalized emails if you don't recognize the sender or weren't expecting the message.

5. Urgent Threats

Scammers often use scare tactics, claiming your account is at risk unless you act immediately. DocuSign will never pressure you into updating account details via email under the guise of unauthorized activity.

6. Emails That Mimic Websites

Some phishing emails are designed to look like legitimate websites to trick you into providing personal information. DocuSign will never ask for login credentials or personal details through email.

7. Deceptive URLs

Fake websites often use slightly altered URLs, such as docusing.com instead of docusign.com. Always check your browser's URL bar for discrepancies and heed warnings about untrusted sites or certificates.

8. Poor Grammar and Spelling

Many fake emails contain spelling errors and bad grammar. While this may seem like a minor detail, these mistakes can help scammers bypass spam filters.

9. Unsecured Sites

Legitimate DocuSign pages always begin with https://, indicating a secure connection. If you don't see "https," don't enter any personal information.

10. Pop-Up Boxes

DocuSign never uses pop-up boxes in emails, as they're inherently insecure.

Example of a fake Docusign Email

Source: DocuSign

DocuSign emails always come from an @docusign.net address and typically include a 32-character security code at the bottom of the email in the "Alternate Signing Method" section. This security code helps verify the email's authenticity and provides an alternative way to access the document. If you receive an email claiming to be from DocuSign but notice a different sender address or no security code, proceed with caution, as it may be fraudulent.

All legitimate DocuSign notification emails contain a link to review the document, which should direct you to DocuSign's secure website. To confirm the link's legitimacy, hover your mouse over it without clicking; the URL should begin with https://www.docusign.net. Depending on the server location, the link may also include prefixes such as na2, na3, au, ca, eu, or demo (e.g., https://na2.docusign.net).

How to Report a DocuSign Scam Attempt

If you come across suspicious activity or documents misusing DocuSign, here's how you can report them:

Within the Signing Experience: Select Other Actions, then choose Report Abuse to notify DocuSign directly.
From the Email Notification Footer: Click the Report this email link located at the bottom of the notification email.
Using the Online Portal: If you don't have access to the envelope or notification email, you can submit a report through DocuSign's online portal at https://docusign.i-sight.com/portal.

For imitation emails or websites:

Fraudulent Emails: If you receive an email claiming to be from DocuSign that seems suspicious, forward it as an attachment to [email protected] and delete it.
Imitation Websites: For fake websites mimicking DocuSign, copy the URL and send it to [email protected] for investigation.

Protecting your business goes beyond guarding against individual scams. Consider an all-in-one solution like Bitdefender Ultimate Small Business Security, designed to provide exceptional protection against all digital threats for you and your employees.

Here's what it offers:

Email Protection: Automatically scans and blocks phishing emails, suspicious links, and fake invoices, preventing employees from clicking on malicious content.
Scam Detection: The Scam Copilot monitors emails, texts, and chats for signs of fraud. It alerts you and your team to potential scams and offers real-time guidance on how to handle them.
Password Management: Simplify security with Password Manager, which generates strong, complex passwords that align with best practices.
Secured Remote Work: A built-in VPN ensures your team is protected from unsafe public Wi-Fi networks, like those in coffee shops or airports. It guarantees secure communication between remote employees and your business systems.
Device Protection: Provides real-time detection and blocking of malware, including viruses, ransomware, and spyware, across all your team's laptops and smartphones.
Digital Identity Monitoring: Keeps an eye on your business's online presence, alerting you to data leaks, unauthorized use of your business name, or exposure of sensitive information—even on the dark web and breaches.

Check out the plans here.

FAQs

How can I recognize a fake DocuSign email?

Fake DocuSign emails often contain suspicious elements like generic greetings ("Dear Customer"), urgent language claiming your account is at risk, or links directing you to non-DocuSign websites. Always check the sender's email address—legitimate notifications come from @docusign.net—and hover over any links to ensure they start with https://www.docusign.net. Never click on links or open attachments from unexpected or unknown senders.

What should I do if I receive a suspicious DocuSign email?

If you suspect an email is fraudulent, do not click on any links or open attachments. Forward the email as an attachment to [email protected] and then delete it. If the email includes a fake link or website, copy the URL and report it to the same address for further investigation. Stay cautious and verify the email's authenticity before taking any action.

How can I protect my business from DocuSign phishing scams?

Learn about phishing scams and the proper way to handle DocuSign notifications. Always verify the sender's email address and hover over links to check their legitimacy. Report suspicious emails to [email protected] and use cybersecurity tools like email protection software to filter out potential phishing attempts before they reach inboxes.

I signed a fake DocuSign document. What should I do?

If you accidentally signed a fake DocuSign document, take immediate action to protect your information:

Change Your Passwords: Update the passwords for your DocuSign account and any other accounts that share the same login credentials. Use strong, unique passwords to enhance security.
Monitor Your Accounts: Keep an eye on your email and financial accounts for any unusual activity, such as unauthorized logins or transactions.
Report the Incident: Forward the fake email to [email protected] and provide details about the fraudulent document. This helps DocuSign investigate and prevent further scams.
Use Bitdefender Ultimate Small Business Security to stay safe from scams in the future.