DocuSign is a great and efficient way to obtain authentic signatures for contracts and invoices. As with other efficient tools, threat actors will and have found a way to use the DocuSign API to send fake invoices to divert funds.

According to security researchers at Wallarm, “Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard.”

Because the threat actors use the authentic API, tools being used to stop malicious emails are bypassed, allowing the email to reach the recipient. The invoice sent through the account looks authentic and the user signs it. Then the threat actor is able to use the signed invoice to request payment from the finance department, and the finance department has no idea that the invoice is fake.

Wallarm states “Over the past five months, user reports of such malicious campaigns have noticeably increased and DocuSign’s community forums have seen a surge in discussions about fraudulent activities. This thread is one example: Phishing Emails from docusign.net Domain. These user reports highlight a worrying pattern: attackers are not just impersonating companies, but are embedding themselves within legitimate communication channels to execute their attacks.”

The attackers are not just using DocuSign, but include other platforms that facilitate the signing of documents, invoices, and contracts. Wallarm’s post provides various mitigation tips to avoid these scams. Staying abreast of new scams will help protect us personally, and help protect our businesses. Companies may wish to educate their employees on this scam to avoid becoming victims.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.