How To Spot A DocuSign Scam Email

DocuSign phishing is an email scam that looks like it's coming from DocuSign, a popular service that allows you to sign contracts and other documents electronically instead of physically but is not. This type of phishing aims to gather important information, like passwords and credit card numbers.

Within these emails, a link will redirect you to where you can enter your personal information. DocuSign phishing threatens organizations by enabling attackers to access sensitive information or signatures if users fall for their tactics. DocuSign lies in third place for phishing attacks, specifically at 12.7%.

If your organization uses DocuSign, it's essential to know the red flags of DocuSign phishing emails along with the best practices to protect against this prevalent and dangerous threat. This article will explain how DocuSign phishing works, indicators of DocuSign phishing to look out for, and how to protect your company against these attacks.    

What is DocuSign Phishing & How Does It Work?

During a DocuSign phishing attack, a user will receive a fake email mimicking the emails DocuSign sends. This email notifies the user and says a document is ready for them to review. A malicious payload link is concealed in text containing multiple redirects in the email. This often confuses victims and bypasses URL detection. If the user falls for the scam, the attacker will gain access to their DocuSign login, business email credentials, and any sensitive information stored. 

What Are the Potential Impacts of DocuSign Phishing on Business?

There are many potential impacts on an organization if a user falls victim to a DocuSign phishing attack. Effects range from increased costs, operational disruption, reputation damage, or loss of revenue. DocuSign phishing is associated with risks, including imitation of DocuSign, improper use, and other security concerns. These risks can affect a business in different ways. For instance, imitation could lead to you or another employee could sign a spoofed document. In addition, clicking and signing into these malicious links gives attackers access to your login credentials and other personal information stored on that account. 

How Can I Spot a DocuSign Scam Email?

There are a few qualities to look for when identifying if an email that claims to come from DocuSign indeed comes from DocuSign. DocuSign says the envelope emails will always come from a "docusign.net" email. Most will also contain a 32-character security code at the end of the email under "Alternate Signing Method." DocuSign states that in their emails, a link will take the user to their official website to review the document. By hovering the mouse over the link in the email, without clicking it, you can see the URL. Legitimate DocuSign URLs start with "https://www.docusign.net." There may also be other prefixes depending on where their server destinations are. An example of a fake DocuSign URL could be a simple misspelling like  "docusgin.net." Some spam hosts include "docs.google.com" and "feedproxy.google.com," even though they are trusted domains. Other indications of a DocuSign phishing email include misspellings and email attachments. DocuSign does not send emails with attachments. 

As previously mentioned, the sender address should be "docusign.net"; however, some have seen spoofed messages coming from that source. Other indicators should be checked before clicking. There are many signs to look out for, such as being addressed as anything other than your name, the security code being shorter than 32 characters, a link that says "REVIEW DOCUMENT," and misspellings and extra spaces. If the email you received from DocuSign looks suspicious, it's safest not to click on any links or attachments and report it on DocuSign's incident reporting page.

If you are not expecting an email from DocuSign, you should automatically be suspicious and question its veracity.

Best Practices for Protecting Against DocuSign Phishing

If your company is considering using DocuSign, many options exist to protect you and your business from attacks. The first critical step to protecting your organization from attacks is user awareness. There are multiple options to protect your organization. To ensure maximum protection, it's recommended to use most or all of these practices:

Train Your Employees

Training employees on how to identify a DocuSign phishing email will help limit their risk of falling for a scam. User awareness is one of the first steps in fighting against phishing, as well as other email-borne threats. Employees must know to be cautious of any email or message that claims to be from DocuSign and asks them to click on a link, download an attachment, or provide personal information. 

Implement Impersonation Protection

As previously mentioned, DocuSign phishing emails are often sent from invalid lookalike email addresses, so verifying the address can help determine the safety and legitimacy of an email and reduce the risk of interacting with fraudulent or dangerous mail. Having adequate impersonation protection is also critical in blocking these malicious emails before they reach the inbox. This protection should provide complete defense against spoofing and fraud through proper use of the SPF, DKIM, and DMARC email authentication protocols. 

Protect Against Malicious URLs

Because DocuSign phishing scams often rely on malicious links, having the right technology to detect these links is crucial. While HTML email allows users to hover over a link to view its destination, the reality is that most of us do not engage in this security best practice. Many email security solutions rely on URL rewriting to detect malicious links, but this strategy can provide users with a false sense of security and increase the likelihood of users clicking on malicious links. Instead, URL protection solutions should compare domains and hosts against common blocklists, scan destination websites in real-time for network vulnerabilities to determine if they are malicious or safe and evaluate URLs for credential content to detect fraudulent, zero-day credential-phishing sites. With this caliber of URL defense, emails containing malicious links will be flagged and quarantined, never reaching the intended recipient’s inbox.

Defend Against Social Engineering Attacks

DocuSign phishing emails often rely on stealthy social engineering tactics to deceive users using familiar relationships to engage and convince them to take a specific action or share information without knowing. As a result, adequate social engineering protection is essential in protecting against these scams. This protection should analyze various email attributes, including legitimate sender behavior and sender-recipient relationships, to intercept social engineering attempts before they reach the inbox.

Invest in Cloud Email Security

While the Cloud is an excellent way for organizations and users to communicate and store information, it's essential to remember that built-in security defenses alone are insufficient to protect sensitive data and confidential email communications against DocuSign phishing and other email-borne threats. Implementing a comprehensive cloud-based email security solution like Guardian Digital EnGarde Cloud Email Security is an excellent way to safeguard your organization against these modern threats. Solutions like EnGarde detect and block all malicious and fraudulent mail before it reaches the inbox using advanced technology and flexible filters, mitigating the risks of attacks and breaches due to human error.

DocuSign Attacks In Action

In 2021, a DocuSign phishing campaign involved targeting a company to steal Microsoft logins. There were around 550 members of the targeted company impacted by this scam. They all reviewed the same email; those who clicked the link were sent an electronic document through DocuSign. The preview looked like the legitimate landing page, prompting the user to “Please review and sign this document” and indicating that other parties have already signed the document. Users who clicked the document were taken to a Microsoft single login page. If the user entered their credentials at this stage, their information was accessed by the attackers. In the first three months of 2021, researchers found seven million malicious emails were sent from Microsoft 365, and 45 million were sent from Google’s cloud services. 

Keep Learning About DocuSign Phishing Protection

Fighting cyberattacks is necessary in today's modern age. The Internet, along with other forms of technology, are powerful tools, and with these powerful tools comes a greater risk of modern and sophisticated attacks. Organizations and users alike should be aware of the types of cyberattacks they face and what they can do to defend against them. 

• Implementing a comprehensive email security system can help prevent advanced threats, such as targeted spear phishing and ransomware. 
• You can also improve your email security posture to protect against attacks by following these best practices.
• Keep the integrity of your email safe by securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Learn about phishing and how to defend your organization against it in our Phishing eBook.
• Get the latest updates on how to stay safe online.