Fraud alerts
Subscribe using the Docusign Safety Center Alerts RSS feed URL: https://www.docusign.com/trust/safety/feed. Add an RSS reader extension to your browser (Chrome, Firefox), or enable via Outlook on a PC.
We have observed attackers executing sophisticated phishing scams that use a combination of workflow notifications from Docusign Maestro and external communication. The goal appears to be to trick recipients into believing they have an unexpected invoice or subscription renewal from a trusted corporation (such as Microsoft) and lead them to contact a fake support number to steal personal and financial information.
Here are some example subject lines:
Your subscription remains active– Microsoft
Your Microsoft Purchase Confirmation
How can I protect myself from these phishing attempts?
Scrutinize the Sender and Content: Even if an email appears to come from a trusted domain like Docusign, be highly suspicious if the content involves an unexpected invoice or an unfamiliar subscription. Legitimate notifications from Docusign workflows will never contain a link to log into your account or for further action like a signature.
Verify Independently: If you receive an unexpected invoice or purchase confirmation, do not click on any links or call any phone numbers provided in the email. Instead, independently navigate to the official website or service portal for the purported sender (e.g., Microsoft's official site) to check your subscription status or billing history.
Look for Red Flags: Be wary of emails demanding immediate action, using generic greetings, or containing slight misspellings or poor grammar.
Report Suspicious Activity: If you suspect a notification is a scam or are unsure of its authenticity, report it immediately through one of the following methods:
Use the Report Abuse feature directly.
Submit a report via our online web portal i-Sight.
We have recently observed reports of fraudulent emails that impersonate seasonal notifications from trusted brands, including Docusign. This activity is a form of external brand impersonation where scammers use seasonal themes, such as gift orders (e.g., wine deliveries) or year-end and year-start documents (e.g., related to benefits enrollment, tax forms, policy updates), to create a false sense of urgency.
Identify the risk
The goal of these emails is to trick you into clicking malicious links. These links may redirect you through multiple websites to a fake login page designed to steal your credentials or personal information.
What to look for
Inconsistent branding: Scammers may use a mix of current and legacy branding (e.g., the older DocuSign with a capital S). Watch for outdated logos, mismatched fonts, or formatting errors.
Suspicious senders: Always check the sender’s email address. Official notifications will only come from @docusign.com or @docusign.net. Exercise caution with any email claiming to be from Docusign that originates from an unofficial domain. Regardless of the sender, you should always be cautious of domains you do not recognize.
Unexpected content: Remain vigilant regarding any documents or signature requests you were not anticipating, and treat unsolicited emails with skepticism — even from a sender you believe you recognize. If you are in doubt, avoid interacting with the email and instead confirm the request is legitimate by contacting the sender through a verified phone number or a known, trusted email address.
Recommended action
Do not click: Avoid interacting with buttons or links in any unexpected suspicious email.
Verify independently: To safely access a document, go directly to docusign.com and enter the unique Security Code found at the bottom of the email using the Access Documents feature.
Report: If you receive a suspicious message, forward it as an attachment to verify@docusign.com for analysis. We will quickly provide confirmation indicating whether the content is legitimate or contains suspicious material, along with recommended next steps you should take. For business users, we also recommend reporting the incident to your security or IT department to ensure your organization is aware and can take any additional necessary precautions.
We're seeing an increase in sophisticated phishing scams that involve both internal and external activity. These scams use the platform itself in combination with communication or actions that take place outside our system. This hybrid method uses an external email forwarding service to send malicious envelopes to large lists of recipients, making the emails appear to come directly from Docusign.
A common tactic is a fake invoice from a well-known company like Norton, PayPal, or Geek Squad. The scammer sends a fraudulent document that looks like it's from a legitimate source and asks you to call a phone number to resolve an issue. The goal is to trick you into giving away your bank or credit card information. Sometimes the email will even say the document has already been signed to pressure you into acting quickly.
Here are some examples of subject lines these scams might use:
Order completed successfully
Completed: Transaction Details 423
Purchase has been completed @ Sep 04, 2025
Security Notice: Refund Hold Needs Immediate Action with Your Authorization
Review needed: recent Primary account activity 💯 with Docusign: AH06dq76TXhc28Gw
What should I do if I receive one of these?
Do not click on any links in the email or attachments.
Do not call the phone number in the email.
Do not share any personal or financial information.
Report the suspicious email immediately through our Report Abuse feature or directly through our online web portal i-Sight.