Free trial

Cybercriminals exploit Docusign to target businesses dealing with the US government

Security
Ralitsa Miteva,
docusign phishing emails

Phishing has long preyed on trust, and recent attacks demonstrate just how sophisticated these schemes have become.

In fact, phishing is now often automated and executed at scale, making Docusign an attractive target for cybercriminals. Larger organizations and databases are particularly appealing targets because a single phishing template can yield significant rewards.

Consider, for example that from November 8 - 14, 2024, cybersecurity researchers from SlashNext reported a staggering 98% increase in Docusign phishing URLs compared to the two months prior. During that single week, attackers exploited legitimate Docusign accounts and APIs to craft convincing documents capable of evading traditional email security measures.

These attacks are particularly dangerous for companies and vendors that work with state, municipal, and licensing government agencies. By impersonating trusted government entities, cybercriminals can trick businesses into signing fraudulent documents or making unauthorized payments.

According to SlashNext, various government organizations, including the Department of Health and Human Services, the Maryland Department of Transportation, the State of North Carolina’s Electronic Vendor Portal, and the licensing boards or municipal bodies of cities like Milwaukee, Charlotte, and Houston have been impersonated.

How phishing impersonation works

A typical phishing impersonation attack begins when a vendor receives an email that looks like a legitimate eSignature request from a government organization. To make the request as convincing as possible, the attackers rely on legitimate Docusign accounts and APIs to replicate official-looking templates.

The Docusign scam emails target vendors that frequently interact with government agencies and operate in industries where time sensitivity is the norm. A sense of urgency is typically a social engineering red flag, but in this case, recipients overlook it because it’s expected in their line of work.

“Users are being tricked by this attack because they trust the Docusign brand,” explains OneSpan CTO Will LaSala. “Attacks such as these are most successful when the eSign requests come from a docusign.com domain and direct users to a legitimate Docusign website for signing. Attackers exploit this trust by creating custom-branded transactions and email templates that mimic Docusign’s legitimate communications, trapping unsuspecting users.”

LaSala continues, “The attackers use screens that look identical to the ones users normally interact with, adding to the deception. This becomes especially problematic when businesses rely on external platforms to communicate with their customers, rather than using their own domains or email systems.”

To summarize, several elements play a role in the success of these attacks.

First, criminals use brand impersonation techniques that leverage actual Docusign accounts and APIs, making phishing emails almost indistinguishable from genuine ones. They also employ industry-accurate jargon and phrasing to enhance credibility. This means that the email not only looks real, it sounds real, too.

Second, the attackers research and time their phishing schemes to align with industry-specific deadlines, such as license renewals or contract submissions.

Third, since their emails originate from Docusign’s platform, they often bypass traditional email security systems.

“One of the most concerning aspects is attackers using APIs to send mass emails. While many recipients recognize these as spam, those already working with the impersonated brand are more likely to fall victim, letting their guard down,” adds LaSala.

How businesses can protect themselves

Businesses can mitigate the risks by implementing robust security measures. This includes:

  1. 1. Invest in employee training: Educate employees to recognize phishing attempts and maintain a healthy skepticism of unexpected urgent requests, especially during renewal periods or other sensitive times of the year.
  2. 2. Be on the alert for red flags: Look out for suspicious payment routing instructions, urgent contract requests, and atypical documentation requirements.
  3. 3. Check URLs and email domains: Confirm you are communicating with legitimate domains.
  4. 4. Verify requests: Always confirm the authenticity of eSignature requests through official channels. If you're not expecting an eSignature request from the government entity you work with on a project, call your contact person directly to verify that the request is accurate.
  5. 5. Enhance email filters: Use advanced tools capable of identifying suspicious patterns even in legitimate-looking emails.
  6. 6. Secure APIs: Strengthen API security by implementing best practices to protect the APIs your applications are consuming. This can help prevent abuse by outside attackers. Use technology such as proper encryption, rate limiting, data and input validation and sanitization, and proper logging.
  7. 7. Use a white-labeled eSignature solution: Your own brand is your best defense. Employees and customers recognize your brand and are more likely to spot if someone tries to impersonate your brand compared to third-party electronic signature software providers.
  8. 8. Strengthen security for repeated transactions: Sensitive and frequently repeated transactions—such as invoices, approvals, or documents containing personally identifiable information (PII)—should have additional security measures such as advanced authentication. Deploy phishing-resistant authentication technologies like FIDO passkeys and identity verification for sensitive transactions.

According to LaSala, “FIDO passkeys and identity verification provide robust defense against phishing, alerting users to potential issues before they begin the signing process. Unlike unencrypted SMS OTPs or security questions, that can be exploited via social engineering, these methods are resistant to phishing attempts.”

With FIDO passkeys users are alerted when there is an attempt to create a new passkey. This can happen when they are first signing up or later when they already have a passkey and an attempt for a new one is being made (whether they did it or someone else).

FIDO passkeys are tied to a specific website or app through public-key cryptography. When a user authenticates, the cryptographic key is validated against the website or app's domain. Even if a user is tricked into visiting a fake website, the passkey won't work because the public-private key pair won't match the phishing domain.

This prevents credentials from being used on malicious platforms. Passkeys rely on biometric verification (like a fingerprint or face scan) or PINs stored securely on the device. These factors are never transmitted, there's no shareable or reusable information that could be intercepted or stolen by attackers.

Identifying Docusign email scams

The sophisticated use of Docusign’s brand in phishing campaigns demonstrates how cybercriminals exploit trusted platforms to disrupt business operations. However, businesses can defend against these threats with heightened awareness, robust verification protocols, and a proactive approach to security.

electronic signature security checklist
Datasheet

eSignature Security Checklist

Simplify your eSignature evaluation with this summary checklist. It contains more than 20 security requirements to look for across 6 categories. 

Download now
Ralitsa Miteva
Ralitsa Miteva

Ralitsa Miteva is a fraud detection and prevention solutions manager at OneSpan where she advises financial institutions and other organizations about the evolving fraud landscape and helps them to overcome the new prevention challenges during their digital transformation.

Contents
Share