Fraud Alert: Credential Harvesting Scam Impersonating Financial Institutions
05/22/2026
Attackers are using sophisticated phishing campaigns to impersonate financial institutions by sending fraudulent Docusign envelopes for purported payment bonus and disbursement confirmations. The goal is to solicit user engagement by leveraging a combination of QR codes and links to credential harvesting sites to steal login credentials. While these notifications originate from the Docusign platform and appear authentic, this activity is a malicious third-party exploitation of our services.
Our team is actively working to mitigate this type of abuse, including working to take down malicious sites used in these campaigns.
Here are examples of email subject lines:
Payment_Advice
Payment_Confirmation_Receipt
Payment_Disbursement
Transfer_Confirmation_Notice
Vendor Contract PayApp Ref# [REFERENCE NUMBER]
[FINANCIAL INSTITUTION]_authorization_[REFERENCE NUMBER]_enclosed.pdf
Here are some measures you can take to protect yourself and your data:
Check the sender and the message: Be cautious of unexpected emails, even if they look like they are from Docusign, especially if they are regarding an unexpected payment or disbursement.
Check Your Account Directly: If you receive an unexpected notification from a financial institution, do not click links, scan QR codes, or call numbers in the envelope/email. Scammers use these to trick you. Instead, go directly to the official source (e.g., your bank or financial institution) using a separate, secure connection to verify the payment or disbursement. A legitimate financial company will never ask you to transfer funds over the phone to "secure" assets.
Verify and Report Suspicious Activity: Safely access a document by going directly to docusign.com and using the Access Documents feature with the unique Security Code. If you receive a suspicious message, forward it as an attachment to verify@docusign.com, or use the Docusign Report Abuse Feature or Report Abuse Form.