A sophisticated phishing scam is circling the industry, leveraging the trusted name of DocuSign to compromise email accounts and try to steal sensitive information.
This fraudulent campaign is designed to trick recipients into revealing their email login credentials, which are then used to perpetuate the scam by targeting their entire contact list, creating a viral wave of attacks that appear legitimate.
How it works
- You receive an email with a fake DocuSign link for an NDA, invoice, or other urgent document from someone you likely know
- The link leads to a fake login page (e.g., a fake Google or Microsoft login).
- They try to steal your password, access your account, and then email the same scam to your contacts from your address.
How to protect yourself & your Company
- Be sceptical: Received an unexpected document? Call or text the sender to verify it’s real before clicking.
- Check the link: Hover over any link before you click. If it’s not a legitimate docusign.com address, it’s very likely a fake website.
- Go direct to the source: If you’re unsure, go to the DocuSign site directly in a browser, or log in to your DocuSign account directly through their official website, not through an email link.
- Enable Multi-Factor Authentication (MFA): This is the single best way to protect your accounts, even if your password is stolen. Make sure your account has MFA turned on.
- Educate your team: Make sure everyone in your company knows about this scam, and how to report a potential phishing attack.
Stay vigilant! These scams look convincing because they may come from compromised accounts of people you know.
