Kaspersky is warning of a rising phishing scam involving fraudulent emails pretending to be from Docusign, a globally used e-signature platform. Cyber attackers are sending these emails with links to fake websites where users are asked to enter a work login and password.

The Docusign phishing attack begins with an email that resembles legitimate communication from the service provider. Unlike other phishing schemes, the malicious actors generally do not bother to forge or mask the sender address given how genuine Docusign emails can originate from any address due to the customisation options available to Docusign customers.

Typically, the victim is notified that they must electronically sign a financial-related document, with the click through link included in the email received. In some instances, the phishers can also include a PDF attachment with a QR code inside. The victim is prompted to open the attachment and scan this QR code, supposedly to access the document for signing, however in reality this leads to a phishing website intended to gather users’ credentials.

The tactics and quality of execution can vary from email to email. However, the core principle remains the same: phishers rely on the recipient not understanding how e-signing with Docusign actually works. The inattentive victim follows the link (or QR code) to the phishing page and enters their work login credentials, which go straight to the attackers. Usernames and passwords harvested through successful phishing attacks are often compiled into databases sold on illicit dark web marketplaces, and later used to attack organizations. The whole purpose of Docusign is to make it as easy as possible for companies and individuals to exchange electronically-signed documents. Any additional steps or restrictions — such as creating an account, entering credentials, opening attachments, or using only a smartphone to sign — go against this principle. Therefore, Docusign asks for none of this and strives to make the signing process as quick and simple as possible.

High-quality fake Docusign email

To protect against this Docusign phishing tactic or other scams that impersonate popular services, Kaspersky recommends the following:

• Have an understanding around how the genuine service works. For example, Docusign will never:
o Send a PDF attachment with a link to a document to be signed.
o Give you no choice but to scan a QR code. Docusign works on both mobile devices and computers, so a link is always provided to access the document – not a QR code.
o Require you to enter work login credentials.
o Force you to register with or log in to Docusign. After you sign the document, Docusign might suggest creating an account, but it’s entirely optional.
• Be cautious of links and attachments: Avoid clicking on any unexpected links or downloading attachments in unsolicited emails.
• Train employees: Companies should educate employees on how to recognise phishing attempts. Specialised training systems such as Kaspersky Automated Security Awareness Platform can be of help.
• Use security solutions: Filtering out suspicious and unwanted email at the gateway level with products such as Kaspersky Security for Mail Server prevents employees from being defrauded by socially engineered scams. Security solutions for endpoints relevant to the size of the organization – such as the Kaspersky Small Office Security or Kaspersky Next – will also secure from phishing redirects.
• Use multi-factor authentication: This measure adds an extra layer of protection for sensitive accounts and services.

“Phishers are increasingly using names of trusted services like Docusign. We advise all IT users both at work and at home to always verify the sender’s identity and avoid clicking on suspicious links. Companies should ensure their teams know how to identify phishing emails, while multi-factor authentication and email filtering solutions add an extra level of defence,” Roman Dedenok concludes.