DocuSign phishing emails: How to spot these scams

What is DocuSign phishing?

DocuSign phishing is a type of scam where fraudulent emails imitate official communications from DocuSign, a well-known electronic signature service, to gain access to your sensitive information.

If you’ve started a new job, taken legal action, or bought a home recently, you’ve likely encountered DocuSign. This service allows signing contracts and other legal documents on phones, computers, and tablets. However, cybercriminals have found ways to leverage DocuSign’s credibility for nefarious purposes.

DocuSign email scams abuse DocuSign’s brand recognition to trick you into revealing sensitive information, visiting malicious websites, or downloading malware. Once the deed is done, personal data like Social Security numbers, passwords, credit card numbers, and your physical address might fall into the hands of cybercriminals — leaving you open to various exploits and identity theft.

DocuSign scams can target individuals, corporations, and small businesses. One common example of a DocuSign phishing email is an employee benefit scam. Bad actors impersonate human resources employees from the victim’s company. Using templates to dupe the official DocuSign branding, the cybercriminals send a random email signature request relating to new benefits and compensation policies. However, when you click “Review document,” you are sent to a scam website before you realize you are falling victim to URL phishing.

How to spot a fake DocuSign email

If you’re unsure whether you are facing a DocuSign phishing attack, look for these red flags:

• Unsolicited documents: If you haven’t requested any documents, you have almost certainly encountered a fraudulent email. Legitimate companies will contact you before sending a contract, addendum, or other legal agreement.
• Suspicious links: Avoid clicking links in suspicious emails because they may be malicious. Check for subtle domain differences, like docusing.com instead of docusign.com, by hovering over links.
• Suspicious sender addresses: Always verify the sender’s email address. Cybercriminals can use email spoofing to make it look like it’s from @docusign.com or a trusted contact.
• Emails with login screens and pop-ups: If an email has a form or pop-up that mimics the DocuSign login screen, don’t enter your credentials. DocuSign never requests login info via email or pop-ups.
• Under- or over-personalization: Be wary of overly personalized emails, especially from unknown senders. Over-personalization can indicate spear phishing.
• Typos: DocuSign uses professional copywriters and editors, so all official communications are thoroughly proofed before they reach you. If you notice spelling errors, grammar issues, strange capitalizations, or phrases that don’t sound right in English, you are probably dealing with a fake email. Sometimes, scammers even intentionally include typos to dodge spam filters.
• Pressure tactics: Scammers use urgency to make you act quickly, inventing emergencies like suspended accounts or unauthorized transactions. Contact DocuSign directly if you think your account is compromised.
• Incomplete messages: If a message, especially one that seems urgent, cuts off abruptly, many people will naturally try to figure out the rest of the information. Don’t contact the sender or click anything; the entire email could be a malicious link.

How to identify legitimate DocuSign emails

DocuSign does send emails, so know these features of legitimate communications:

• Security codes: Because DocuSign values its customers’ security, it always includes a unique security code, which allows users to access the document directly on DocuSign’s website instead of clicking links. This code is in the email’s “Alternate signing method” section.
• Correct URLs: Hover over links in DocuSign emails to check the destination. Legitimate URLs usually start with https://www.docusign.com and may have region-specific prefixes like .eu or .au.
• Secure websites: Before you provide sensitive information to any website, check the URL. Secure website URLs start with https, which stands for Hypertext Transfer Protocol Security. This prefix lets you know that the data you send from your web browser to the website is encrypted.
• PDF attachments: DocuSign only sends PDF attachments after you sign a document. If you see an attachment to a signature request, it is likely a phishing email. Don’t download the attachment, especially if it is a file type that DocuSign doesn’t use, such as ZIP or HTML.

If you’re unsure about a DocuSign email, contact their customer service directly to verify.

What should you do if you click on a DocuSign phishing email?

If you click on a DocuSign phishing email, your next steps depend on the amount of interaction you have with the email. If you opened it but didn’t click anything:

1. Forward the email to spam@docusign.com to make a formal report.
2. Flag it as spam.
3. Block the sender.
4. Delete the email.

Follow these steps for what to do if you click on a phishing link:

1. Don’t enter any personal data or payment information.
2. Disconnect from the internet immediately to stop malware downloads.
3. Scan your device for malware and delete anything found.
4. Back up your files to an external hard drive.
5. Change your passwords.
6. Monitor your accounts for unusual activity.
7. If you suspect identity theft, file a report with the Federal Trade Commission.

How to report suspicious emails to DocuSign

You should report phishing emails to DocuSign so that their security team can review the phishing attack and take any necessary action. Follow these steps to report DocuSign phishing attempts:

1. Forward the scam email to spam@docusign.com.
2. Report fraud through your DocuSign i-Sight portal.
3. If you encounter a website impersonating DocuSign, copy the URL into an email and send it to spam@docusign.com.
4. Mark the suspicious email as spam and delete it.
5. Report DocuSign phishing emails to the Federal Trade Commission at ReportFraud.ftc.gov.
6. If you have any further questions about DocuSign security, email security@docusign.com.

What information do you need to provide to DocuSign for an investigation?

When you report a phishing scam within DocuSign’s secure portal, DocuSign will ask for certain information to conduct its investigation. Be prepared to provide:

• Your full name.
• Contact information.
• Envelope ID or security code.
• Supporting evidence (such as screenshots or attachments.).
• Other sender contact info, if available.
• A detailed description of the fraud.

Remember, only provide this sensitive information on DocuSign’s secure portal!

How to protect yourself from DocuSign phishing email scams

While it’s impossible to completely prevent phishing attacks or other scam emails, you can take some simple steps to protect yourself:

• Use the SLAM method: The SLAM method is an easy way to identify phishing campaigns:
  • S: Check the sender.
  • L: Don’t click any links.
  • A: Don’t open any attachments.
  • M: Read the message and look for a sure sign of phishing, like spelling errors, odd phrasing, pressure tactics, and fraudulent subject lines.
• Use a VPN: NordVPN’s Threat Protection Pro anti-phishing software blocks phishing and malicious websites to protect your data.
• Access documents directly on DocuSign: Instead of clicking on email links, go straight to DocuSign.com and enter the 32-character security code to sign your documents.
• Implement multi-factor authentication (MFA): MFA requires you to provide additional information when logging in, blocking cybercriminals from your account if your passwords are compromised.
• Educate your employees: DocuSign scams target small businesses and corporations as well as individuals. Make sure your employees know how to spot and report a DocuSign scam.

DocuSign is a convenient service, and now that you know all about the proper security measures to avoid a phishing scam, you can use it safely.