Phishing email: you received invoice from DocuSign

Updated at: Jan 21, 2021
By Gatefy

Samples of a DocuSign phishing attack.

The pandemic boosted the contract and digital signature market, or e-signature. A good example was the growth of DocuSign: the total revenue of the company that provides digital document signing tools was USD 382.9 million, an increase of 53% for the year, according to its third quarter financial report.

This good result would certainly attract malicious people's attention. Gatefy identified and reported a phishing attack that uses the DocuSign brand to trick people and infect their machines with malware.

The crime is all done via email and now you can check more details about it.

Phishing abuses the DocuSign brand

The malicious email intercepted by Gatefy's antiphishing and antispam solution has the subject “You received an invoice from the DocuSign Service”.

The message closely resembles the identity used by DocuSign, such as its logo, content, footer, and even a button that invites the user to review and sign the document.

The risk would be to click on the button without paying attention to the details of the message that indicate a malicious email, ending up being infected with trojan, which is a type of malware.

Phishing attack warning signs

1. False sender address

The sender's name of the malicious email is "DocuSign Electronic Signature and Invoice Service", which can confuse the victim. But, by checking the email address, you can recognize the first sign of fraud: "rfeqgya@fishalumaice.com", which has nothing to do with the docusign.com domain.

2. Sense of urgency and importance

As we’re talking about an invoice, which is an important document type, the phisher induces the victim to click on the malicious link. In addition, invoices have payment deadlines, which adds a dose of urgency to the message and makes you fall for it.

3. Greeting and generic recipient

The email blocked by Gatefy uses a generic greeting: “Dear Receiver”. That is, it doesn't quote the recipient’s name at any time, which is strange and shows a fraud characteristic because a document as important as an invoice must certainly have the person's name in the message body.

4. Sense of confidence

To gain the victim's trust, phishing attacks use elements that bring legitimacy to the message. In this case, the malicious email says that there is an alternative way to sign the document and cites the legitimate website docusign.com. In addition, the message highlights the help center to solve questions and problems.

How to report and block phishing attacks

DocuSign has a service channel to report fraudulent emails and websites. You can send your samples directly to spam@docusign.com.

If you don’t want to risk your company receiving malicious emails like this, contact us. Gatefy makes use of advanced technology and artificial intelligence to detect different types of scams and cyber attacks.

After all, how would you like to protect your employees' inboxes: manually or automatically?

You can also check out more tips on phishing protection here. Keep following our blog so you don't miss the publication of new scams or educational articles on information security.

Check out the malicious email in full

The email content is reproduced as we detect it, including any grammatical errors.

"Review and sign this invoice.
(Button) Sign document.

Dear Receiver,
Please sign this invoice
This is an automatically created notification.

This note keeps a secure information. Please do not share this access code with other people.

Alternative signing way
Please visit docusign.com, click on 'Access Documents', and enter the code: E109C995F7.

About our service
Sign invoice electronically in just minutes. It is safe. Whether you are at work, home or on-the-go. Our service provides a trusted solution for digital transaction management.

Have questions about an invoice?
In case you need to modify an invoice or have concerns, contact the sender directly.

If you are having trouble signing an invoice, visit the help with signing page on our support center.

This message was sent to you by DocuSign Electronic Signatura Service."