DocuSign Scam 2024: How to recognize it and what to do about it.

by Jon Lober | NOC Technology

An overview of the prevalent DocuSign phishing scam: 2024

For several years, scammers have been leveraging the growing popularity and convenience of online e-signature and contract platforms for their own illicit gains. Not surprisingly, the list of spoofed companies includes the most widely-used of them all—DocuSign. These fraudulent emails are particularly dangerous since many victims are already accustomed to trusting the platform with personal information - including social security numbers and bank routing numbers.


Here at NOC Technology, we recently received a flurry of these emails in inboxes across our business. In this article, we will share our example of a DocuSign email phishing attack, how to identify a DocuSign scam, and how to report this email fraud to the appropriate parties.



DocuSign Phishing Email Example

Several NOC Technology users received an email from “DocuShared ® Review” with the subject line: “Action required: DocuShared ® to NOC email address.” Upon opening the email, the recipients discovered (what appeared to be) a very standard DocuSign email, complete with DocuSign’s recognizable wordmark logo, blue envelope screen, and yellow “Review Document” button.  



Phishing Lures: The Scammer’s Methods.

At first glance, everything about this email seems normal. For someone unthinkingly handling DocuSign documents on a daily basis, or someone waiting for a document, it would be all too easy to click.


  1. Direct delivery to your inbox: Advanced scammers are able to slide this type of message past email filters, dodge the spam box, and land it right next to the email from Jane in accounting. Behind the scenes, the plain text version of the email confounds security software, and the result is prime placement of tempting clickbait.
  2. Name and logo well-known companies: The DocuSign name is synonymous with security and reliability. The scammer’s use of its name and logo plays directly to the potential victim’s inherent trust in these companies.
  3. Passive call to action: This email does not directly ask the victim for anything suspicious, avoiding the internal alarms that go off when someone receives a pushy email asking for payment.
  4. Generic sender names and subject lines: On the surface, everything about this email’s details seem like standard corporate communication.
  5. Use of the ® (Registered Trademark) symbol: Although the detail might seem insignificant, when combined with professional logos, layout, and colors, the air of legitimacy around this email begins to build.
  6. Incomplete message: Although this could simply be an error on the part of the scammer, or a tactic designed to avoid security measures (like we will see below), it could also be a genius move. The entire email is actually a clickable image that links the victim to the scammer’s landing page. Any attempts to click on the page to see the complete image could actually put the victim’s cybersecurity in real danger.





Red Flags: How to recognize a fake DocuSign email

Although this scammer has put some real effort into getting this message through to a target’s inbox, trained observers will quickly recognize several indications that the email is a fraud.

  1. Communication regarding an unsolicited service: If you are not expecting to provide your electronic signature for legitimate reasons, you should immediately disregard any such communications
  2. Sender’s email address: Though many scammers conceal their identity by spoofing their sender name, a quick peek at the actual email address should reveal whether or not an email is legitimate. Communications from DocuSign should always end in @docusign.com or @docusign.net (or a regional equivalent). Any iCloud, Gmail, Yahoo, or other type of personal account indicates fraud.
  3. Information via image file. The entire body of this email is a PNG file. Though they may insert JPG or PNG files for visual flair, respectable organizations are not likely to send important information in an image file.
  4. No personally identifying information: Everything about this email is generic, since it is likely bcc’d to an anonymous list of potential victims. The scammer did not include any specific information in the email—such as the target’s name.
  5. Caution banner: Although most of us are now used to ignoring warning banners—this email is a perfect example of why we should not. The banner is intended to make us double-check the details of an email from an external origin—just to be sure.
  6. Inconsistent use of the DocuSign name: Although the term appears several times in the email details, “DocuShared” is actually a Xerox product.
  7. Missing security details: Though casual users might not know to look for this security feature, DocuSign emails will always provide an alternative method to validate any requests for a signature. All DocuSign signature requests contain a unique security code that allows users to access their file directly from the official DocuSign website. This information has been intentionally cut off from the bottom of the image in our fraudulent email.



Although our example email did not use this particular tactic, DocuSign has previously reported are likely spam.

  • MS Office 365
  • Windows Defender purchased order
  • Order successfully
  • Complete with DocuSign: Bot Content (90).html
  • Fire wall protection order successfully placed


In late 2023, DocuSign also reported a new phishing scam in which bad actors impersonate HR departments. Those scams include the following subject lines.

  • New Employee Benefit and Compensation & Salary Increment for your Review
  • New Benefit and Compensation
  • HR Sent you a document
  • EMPLOYEE BENEFIT POLICY


It's also worth noting that Docusign changed their logo in April 2024. You can be sure that any genuine communication from the company will follow the new brand standards.

What should you do when you encounter a DocuSign scam?


Once you have determined that the email in your inbox is not legitimate, take the following actions to protect yourself and others.

  1. Report the fraud to DocuSign. Fortunately, DocuSign is well aware of phishing scams and is working hard to combat fraud purported in its name. Forward any fraudulent emails to spam@docusign.com. You can learn more about DocuSign phishing attacks and website spoofs in their white paper.
  2. Report fraud to the FTC. As the federal entity in charge of consumer protections, the FTC asks you to report this type of phishing scam through their dedicated Report Fraud website.
  3. Report phishing to your email service provider. Most major email providers (like Google and Microsoft) make it easy to report phishing. You should see a button in your inbox to Report as Spam/Phishing/Fraud.
  4. Block the sender.
  5. Permanently delete the email. Make sure to eliminate the email from your inbox and your trash can in order to eliminate the possibility of an accidental click in the future.



Did you bite? What to do if you fell for a DocuSign scam.

 

Uh-oh. You took the bait. You clicked. Now what?

 

Unfortunately, this happens every day. Time is now of the essence. By moving quickly, you can mitigate the damage caused by this fraud attempt

 

  1. If you paid a scammer through Western Union, MoneyGram, or a debit, credit, or gift card, you should immediately contact the financial institution that facilitated the payment and let them know that it was a fraudulent charge and ask them to reverse the payment or refund your money. If you sent cash through the USPS, you can attempt to intercept your package before the scammer receives it. If they receive the cash, or if you paid in cryptocurrency, you will probably not be able to recover your money.
  2. If a scammer has access to your personal information such as your social security number or identifying information, visit identitytheft.gov to report the theft and put together a plan to recover your identity.
  3. If you gave a scammer your username and password, or suspect that they have remote access to your phone or computer, run antimalware software on your computer immediately and seek professional help from a cybersecurity expert. 

 

The FTC maintains a helpful page of advice and resources for anyone that has fallen prey to a phishing scam and provides specific instructions for what to do in your particular dilemma. In many cases, you will have a better outcome if you respond as quickly as possible to the issue. Act quickly and seek professional assistance if you feel that the issue is beyond your ability to address.


Endpoint protection is one key requirement of most cyber insurance policies.
By Jon Lober November 14, 2024
What requirements can I expe ct from a cyber insurance policy?
By Jon Lober November 12, 2024
The key to productivity with Windows 11 is not just having the right tools— it's knowing how and when to use them. Experiment with these features and find the ones that best fit your workflow.
NOC Technology proudly supports Union, MO with better IT
By Jon Lober November 10, 2024
Franklin County deserves better IT.
More Articles
Share by: