DocuSign Phishing: A Growing Threat and How to Fight Back


How prevalent and sophisticated are the phishing attacks that use DocuSign as a lure? Is there a specific pattern or indicator that can help identify these malicious emails?


DocuSign is a popular service that allows people to sign documents electronically and securely. However, cybercriminals have also exploited its popularity and reputation to launch phishing attacks that aim to steal personal and financial information from unsuspecting users. These attacks can bypass some of the native cloud and inline email security solutions and target thousands of end users across multiple organizations.

According to DocuSign, phishing attacks using its brand have increased since the COVID-19 pandemic, as more people rely on online signatures to conduct business and transactions remotely. The attackers use various tactics to trick users into clicking on fake links, opening malicious attachments, or entering their credentials on spoofed login pages. Some of the common signs of a DocuSign phishing attack are:

  • Fake links: The document link in the email should be hosted at If it is hosted at another domain, such as or, it is likely a phishing attempt. Users can check the link by hovering their mouse pointer over it and looking at the URL.
  • Fake senders: The sender address should belong to However, this alone is not enough, as some attackers can spoof the address. Users should also verify the sender’s identity through other communication channels, such as phone or direct mail, if they are not expecting a DocuSign envelope from them.
  • Misspellings: The email may contain spelling or grammatical errors, such as “Dear Receiver” or “inquiries , contact”. These indicate a lack of professionalism and attention to detail, which are not typical of DocuSign.
  • Unknown or suspicious attachments or click links: DocuSign emails that request users to sign a document never contain attachments or click links. They only contain a “REVIEW DOCUMENT” button that leads to the DocuSign website. If the email contains an attachment or a click link, it is likely a phishing attempt that tries to infect the user’s device with malware or redirect them to a fake website.
  • Embedded links in the email: DocuSign emails do not contain any embedded links in the email body, such as “View Document” or “Sign Document”. They only contain a “REVIEW DOCUMENT” button at the bottom of the email. If the email contains any embedded links, it is likely a phishing attempt that tries to lure the user into clicking on them.
  • The use of the phrase “Dear Receiver”: DocuSign emails always address the recipient by their name or email address. If the email uses a generic or impersonal greeting, such as “Dear Receiver” or “Dear Recipient”, it is likely a phishing attempt that tries to target a large number of users.
  • Poor grammar, misspellings, or generic greeting: DocuSign emails are written in a clear and professional manner, with proper grammar and spelling. They also use a specific and personalized greeting, such as “Hello John” or “Hi Jane”. If the email contains poor grammar, misspellings, or a generic greeting, such as “Hello” or “Hi there”, it is likely a phishing attempt that tries to appear legitimate.
  • A false sense of urgency and/or demand: DocuSign emails do not create a false sense of urgency or demand for the user to sign the document. They only inform the user that they have received a document that requires their signature and provide them with the option to review it. If the email creates a false sense of urgency or demand, such as “You must sign this document immediately” or “Your account will be suspended if you do not sign this document”, it is likely a phishing attempt that tries to pressure the user into taking action.
  • Incorrect logo and branding: DocuSign emails use the correct logo and branding of the company, which are easily recognizable and consistent. If the email uses an incorrect or outdated logo or branding, such as a different color scheme or font, it is likely a phishing attempt that tries to impersonate DocuSign.

  • DocuSign phishing attacks can be very prevalent and sophisticated, as they use various techniques to bypass security measures and deceive users. However, users can protect themselves by being aware of the common signs of a DocuSign phishing attack and by following some best practices, such as:

  • Accessing DocuSign documents only through the DocuSign website or mobile app, not through email links or attachments.
  • Enabling two-factor authentication on their DocuSign account, which adds an extra layer of security and prevents unauthorized access.
  • Reporting any suspicious or fraudulent emails to DocuSign’s security team at [email protected] or [email protected].
  • Visiting DocuSign’s Trust Center for more information about DocuSign security and system performance.

  • By

being vigilant and informed, users can avoid falling victim to DocuSign phishing attacks and enjoy the benefits of electronic signatures without compromising their data and privacy.


Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us