Phishers Purchase Stolen DocuSign Logins, then Impersonate Your Business

Fraud and Security

Fraud and Security Alerts

Back to Fraud and Security Alerts

Phishers Purchase Stolen DocuSign Logins, then Impersonate Your Business

DocuSign is a great tool for managing electronic agreements and contracts with electronic signatures on various devices. Unfortunately, cybersecurity experts have seen an uptick in phishing emails that look very similar to legitimate DocuSign requests but are actually from fraudsters seeking to steal money.

It’s not DocuSign’s fault. Widespread adoption of the platform, combined with its trusted reputation, makes DocuSign a natural target, and cybercriminal tactics have gotten more sophisticated.

Most DocuSign phishing scams impersonate the real DocuSign platform’s emails to trick you into giving sensitive information, signing a document and/or making a payment. Sometimes scammers will even sign up for legitimate DocuSign accounts and use the service to appear reputable when sending you fraudulent documents or requests.

But more recently there’s been an even more complex and insidious pattern emerging.

Here’s how it works:

  • Criminals Pick Targets
    Scammers buy stolen DocuSign credentials on cybercrime forums and use them to snoop around stored contracts, vendor agreements and upcoming payment information.
  • Fake Requests and Invoices
    They impersonate the company they hacked by sending fake emails to the company’s business partners, asking them to transfer funds to an account controlled by the cybercriminals.
  • Victims Lose
    The unsuspecting recipient recognizes everything and assumes the request is legit. They process the payment – sometimes hundreds of thousands of dollars – because of faked DocuSign documents. And because the recipient is tricked into authorizing the transaction, it’s extremely difficult to retrieve the funds.

Hackers can also scoop up private information about upcoming mergers and financials, proprietary client lists and other sensitive data and use it to blackmail a company or demand ransom. 

We’ve published articles in the past about business email compromise and why software, training and insurance are so important, but here’s a refresher on what to look for:

  1. Check the sender's email address: Authentic DocuSign emails always originate from the or domains. Be wary of extra letters or variations (e.g.,,
  2. Note impersonal greetings and attachments and false sense of urgency as red flags: Phishing emails frequently use generic salutations (e.g., Dear Sir), whereas legitimate DocuSign emails address you by name. They often urge you to act quickly. And legitimate DocuSign emails do not contain attachments of any kind.
  3. Verify the security code format: DocuSign security codes are long and complex, like EA66FBAC95CF4117A479D27AFB9A85F01. Short or simple codes likely indicate a phishing attempt.


Quick Links