Alert: New Phishing Campaigns Observed
DocuSign has observed several new phishing campaigns that spoof DocuSign. Details for each are below.
1. The email sender appears as PEUT, Debra (depeut1) from dpeut1[@]eq.edu.au. The subject line is similar to "Internal Revenue Service (COVID-19 Stimulus Check)" The emails contain a link going to anbar.co/scdc/.
2. The email sender appears as DocuSign from dchernoff1[@]comcast.net. The subject line is similar to "Incoming Document Notification." The emails contain a link that takes you to cristianmponce.com/docsign.com-access-document/docusign/login.html.
3. The email sender appears as CU #COVID Electronic Documents via Docusign from betsy[@]austinhomestaging.com, and the name Owen G Kellerman is in the body as the sender. The subject line is similar to "CU #COVID: Document update for app 65799414." The emails contain a link and directs you electronic_documents[@]coronavirus-ctrl.org.
4. The email sender appears as "DocuSign via Tavares Schmitt from hicom-hap6710636[@]cbn.net.id. The subject line is similar to "FWD: 3754013 Please DocuSign this document: Change_to_Listin." The emails contain a link that takes you to waiting.website/34ufmba. Additional names referenced in the body of the email are Deron Rice, Montale Moving Services LLC, Mahwah Movers, Corinne Benvenuto, and Monica Reyes. Additionally, it states that "Rodora signed At Tuesday, May 5, 2020, Deron Rice opened and viewed your documents. Please this document: Change_to_Listing_Covid-19_2_1211.pdf."
These emails are not sent from DocuSign. Do not click on the links in these emails, instead, please forward them to firstname.lastname@example.org and then delete those emails immediately.
For more information on how to spot phishing, please see our Combating Phishing white paper.