Fraud alerts
Fraud Alert: Watch out for Fake Invoice Phishing Scams
09/1/2025
We're seeing an increase in sophisticated phishing scams that involve both internal and external activity. These scams use the platform itself in combination with communication or actions that take place outside our system. This hybrid method uses an external email forwarding service to send malicious envelopes to large lists of recipients, making the emails appear to come directly from Docusign.
A common tactic is a fake invoice from a well-known company like Norton, PayPal, or Geek Squad. The scammer sends a fraudulent document that looks like it's from a legitimate source and asks you to call a phone number to resolve an issue. The goal is to trick you into giving away your bank or credit card information. Sometimes the email will even say the document has already been signed to pressure you into acting quickly.
Here are some examples of subject lines these scams might use:
Order completed successfully
Completed: Transaction Details 423
Purchase has been completed @ Sep 04, 2025
Security Notice: Refund Hold Needs Immediate Action with Your Authorization
Review needed: recent Primary account activity 💯 with Docusign: AH06dq76TXhc28Gw
What should I do if I receive one of these?
Do not click on any links in the email or attachments.
Do not call the phone number in the email.
Do not share any personal or financial information.
Report the suspicious email immediately through our Report Abuse feature or directly through our online web portal i-Sight.
Fraud Alert: Be Wary of HR and Payroll Themed Email Scams
08/1/2025
We've recently seen an increase in phishing scams where fraudsters pretend to be from Human Resources and Payroll Departments, or even government offices. Their goal is to trick you into taking action.
These scam emails often contain a malicious QR code that, when scanned, leads to a fake login page. The envelope itself may also contain another fraudulent QR code or a link taking you to an external site intended to steal sensitive information, which may include financial data, personal data or login details (username and password). This tactic is known as “quishing”.
Examples of subject lines to look out for:
EFT/ACH Remittance Information
Remittance Advice
What should I do if I get one of these?
Do not scan any QR codes or click on any links.
Do not enter your username or password on a page you reached from an email or QR code.
Do not click on any email or attachment links.
Report the suspicious email immediately through our Report Abuse feature or directly through our online web portal i-Sight.
Fraud Alert: Be Cautious of Government Impersonation Scams
07/3/2025
We have observed a concerning increase in phishing campaigns where fraudsters impersonate government offices, municipalities, and Procurement Departments. These attacks are designed to trick you into providing personal and financial information.
A common tactic is the use of a fraudulent envelope document that contains a malicious QR code. When scanned, this QR code directs you to a fake website designed to steal your login credentials, bank details, or other sensitive information. This tactic is known as “quishing”.
Examples of subject lines to look out for:
Complete with Docusign: City of San Francisco.pdf
Complete with Docusign: City Of Tampa.pdf
Complete with Docusign: LACity Purchasing Contract #W9125EK21D0006.pdf
Your City of Chicago News & Resources – September 2025.pdf - Please Review
What should I do if I get one of these?
Do not scan any QR codes or click on any links.
Do not enter your username or password on a page reached via a link or QR code from an unsolicited email.
Do not click on any email or attachment links.
Report the suspicious email immediately through our Report Abuse feature or directly through our online web portal i-Sight.
Verify any official communication by navigating directly to the government agency's official website.
Fraud Alert: Spoofed Docusign Emails
06/1/2025
We've observed a variety of new phishing campaigns where malicious URLs are hidden in fake Docusign emails. These emails are spoofed to appear as if they've been sent from docusign.net or docusign.com, but they did not originate from our legitimate servers.
These fraudulent emails contain a link that leads to a malicious page, not an official Docusign website.
Examples of recent malicious URLs:
https://docspan[.]elegilegi[.]org
https://ciadaestampa[.]com
https://esgn[.]lxml[.]org
beautifulenergywithbtvloving[.]com
Examples of subject lines to look out for:
Document Shared [individual or business name]
Attention Required: Documents Pending review_Ref ID: [reference ID] Amendment to Agreement
Review & eSign Contract Amendment on 2025-09-04
You have a new secure document to review - REF# 73847942EB#YSHS
How can you tell if it’s fake?
Look for mismatched branding: The emails may use color schemes or branding that do not match Docusign's official look and feel.
Check the sender's email: The sender's email address should always come from a legitimate Docusign domain, such as Docusign.net.
Hover over links: Before you click, hover your mouse over the "Review Document" link. If the URL that appears does not point to a Docusign website, it is likely a scam.
What should I do if I get one of these?
Do not click on any links in the email.
Do not enter your login information on any fraudulent pages.
Report the suspicious email immediately to verify@docusign.com
Fraud Alert: Uptick in Phishing Activity Detected, February 21, 2025
02/21/2025
Docusign has detected an uptick in phishing activity where malicious actors are exploiting Docusign solutions to send fraudulent invoices that appear authentic. Common themes include Norton, PayPal, and Remittance Advice. While, in the interest of security, we don’t disclose specifics that could alert bad actors to our prevention tactics, Docusign has a number of capabilities, technical systems and teams in place to help prevent misuse of our services. Activity matching this campaign can be reported to Docusign through our Report Abuse feature or directly through our online web portal i-Sight. As a reminder, do not click on any email or attachment links from unknown or untrusted senders. See the Security Incident Reporting page, How Docusign Users Can Spot, Avoid and Report Fraud, and Tools to Protect Your Data From Phishing for more information.
Fraud Alert: Phishing Campaign Observed, December 13, 2024
12/13/2024
Docusign has observed an uptick in phishing campaigns in which bad actors try to lure recipients into taking action by pretending to be from HR and payroll departments, as well as various municipalities.Examples of envelope content include:
"City of <city name>"
“Complete with Docusign: Payroll Summary.pdf”
“Complete with Docusign: Remittance Advice.pdf”
“<current Date>: <company name> US Employee Benefit Remittance and Payroll Review Approval.pdf”
“Portfolio Purchase Agreement Approved. Kindly review and sign.”
The emails sometimes contain a QR code leading to a phishing page, and the envelope itself may contain another malicious QR code or URL. The phishing page will attempt to capture usernames and passwords with a fake login prompt.Activity matching this campaign can be reported to Docusign through our Report Abuse feature or directly through our online web portal i-Sight. As a reminder, do not click on any email or attachment links from unknown or untrusted senders. See the Security Incident Reporting page, How Docusign Users Can Spot, Avoid and Report Fraud, and Tools to Protect Your Data From Phishing for more information.
Fraud Alert: Phishing Campaign Observed, November 6, 2024
11/06/2024
Docusign has observed phishing activity where bad actors are abusing Docusign APIs to send fake invoices (Norton, PayPal) that appear authentic. While, in the interest of security, we don’t disclose specifics that could alert bad actors to our prevention tactics, Docusign has a number of capabilities, technical systems and teams in place to help prevent misuse of our services. Activity matching this campaign can be reported to Docusign through our Report Abuse feature or directly through our online web portal i-Sight. As a reminder, do not click on any email or attachment links from unknown or untrusted senders. See the Security Incident Reporting page, How Docusign Users Can Spot, Avoid and Report Fraud, and Tools to Protect Your Data From Phishing for more information.