Report security concerns

Docusign’s trust is top priority and reports of suspicious activity are taken seriously. It’s imperative that security concerns are shared with us to ensure issues are addressed timely and appropriately. This page outlines the difference between imitating DocuSign via spoofing or impersonation used in phishing campaigns and the improper use of Docusign customer accounts to commit fraud, as well as the correct reporting channel for each. 

Concerns related to an actual DocuSign customer account are considered fraud and improper use of our platform. Conversely, attempts to trick people into believing emails are related to or from an actual DocuSign customer account are imitation attempts.

Reporting imitation of DocuSign

Our customers are the first line of defense against cybersecurity threats. Detecting cyber security issues quickly reduces the possibility of negative consequences. The information below explains how to detect cyber security threats via imitation (also called spoofing) and report them to DocuSign’s information security team for investigation.

Dedicated threat reporting channels

DocuSign has dedicated reporting channels based on the type of threat:

  • DocuSign-themed imitation emails and websites: If you think that you’ve received a fraudulent email purporting to come from DocuSign, forward the entire email as an attachment to spam@docusign.com and delete it immediately. If you identify a website imitation of DocuSign, please copy and paste the URL into an email to spam@docusign.com for investigation. 
  • Other security incidents and DocuSign-themed threats for investigation: New cybersecurity threats occur regularly. To support DocuSign information security and threat intelligence, report security incidents and DocuSign platform threats to security@docusign.com.

Guidelines for identifying imitation emails and websites

If you don’t recognize the sender of a DocuSign envelope and are uncertain of the email’s authenticity, look for the unique security code included in all DocuSign envelopes at the bottom of the notification email. If you don’t see this code, don’t click on any links or open any attachments. Review our Combating Phishing white paper to learn more.

Email example of incident reporting with old branding

Image caption: Example of an imitation of DocuSign brand used in phishing attempts

Signs of imitation emails and websites

  1. Imitation links

    Avoid imitation links by accessing your documents directly from https://www.docusign.com using the unique security code found at the bottom of the DocuSign notification email.

    Always check where a link goes before clicking by hovering your mouse over the link to review the URL (it should be hosted on docusign.com or docusign.net). An imitation link is dangerous and can:

    • Direct you to an imitation website that tries to collect your personal data
    • Install spyware (which can enable a hacker to monitor your actions and steal login credentials) on your system
    • Cause you to download a virus that could disable your computer
  2. Imitation sender email address

    Imitation emails may include a forged email address in the "From" field, which is easily altered. If you don’t recognize the sender of or weren't expecting a DocuSign envelope, contact the sender to verify its authenticity.

  3. Attachments

    DocuSign emails that request you to sign a document never contain attachments.  Don’t open or click them within an email requesting your signature. DocuSign emails only contain PDF attachments of completed documents after all parties have signed the document. Even then, pay close attention to the attachment to ensure it’s a valid PDF file. DocuSign never attaches zip files or executables.

  4. Generic greetings

    Many imitation emails begin with a generic greeting like “Dear DocuSign Customer.” If you don’t see your name in the salutation, be suspicious and don’t click on any links or attachments. Conversely, also be aware of highly personalized emails, especially if you do not know the sender or were not expecting the communication.

  5. False sense of urgency

    Many imitation emails try to deceive you with the threat that your account is in jeopardy if you don’t provide immediate updates. As it relates to DocuSign, they might claim that unauthorized transactions have occurred on your account and its imperative that you update your account information immediately.

  6. Emails that appear to be websites

    Some imitation emails are made to look like DocuSign or other websites to get you to enter personal information. DocuSign never asks you for personal information, such as login credentials, via email.

  7. Deceptive URLs

    Just because the address looks OK, don't assume you're on a legitimate site. Look in your browser's URL bar for signs that you may be on a phishing site:

    • Often the address of a phishing site deviates slightly from its legitimate counterpart: for instance, it might say docusing.com instead of docusign.com
    • Your browser can detect certain types of malicious sites—always heed its warnings, especially when it notifies you that a site or certificate can’t be trusted
  8. Misspellings and bad grammar

    While no one is perfect, imitation emails are often rife with bad grammar and mispellings. The errors could be intentional; such mistakes help fraudsters avoid spam filters.

  9. Unsafe sites

    The term "https" should always precede any website that requests personal information. (The "s" stands for secure.) If you don't see "https," you're not in a secure Web session, and shouldn’t enter any personal data. A legitimate DocuSign sign-in page address always starts with “https://.” 

  10. Pop-up boxes

    DocuSign never uses a pop-up box in an email, because they aren’t secure.

Reporting improper use of DocuSign

Reports of customers violating DocuSign’s Terms & Conditions are investigated as needed. This section outlines how to identify suspected improper use of DocuSign, including customer account fraud, how to report it, what information we collect, common fraud themes, alerts, resources and additional information.

What to report as suspected improper use of DocuSign

A customer suspected of fraud or illegal activity can be reported to DocuSign if they are in violation of the restrictions on use of the site.

How to identify an email coming from an actual DocuSign customer account

DocuSign customer envelope emails will always come from @docusign.net email address and most will contain a 32-character security code in the bottom portion of the email under the “Alternate Signing Method” section shown in the image below.

If you are suspicious of a DocuSign envelope's authenticity, we recommend you access the envelope directly form DocuSign.com. For more information, visit our Alternative Signing Method Security Code Access page. 

All DocuSign envelope email notifications contain a link that takes you to the DocuSign site to review the document. To review and verify that the link is directing you to a DocuSign site, hover over it without clicking on it (see below). A DocuSign site link will begin with “https://www.docusign.net/Member/EmailStart” followed by a string of characters. The link may also include a prefix of one of our other server designations ‘na2’, ‘na3’, ‘na4’, ‘au’, ‘ca’ or ‘eu’ (e.g. https://na2.docusign.net/Member/EmailStart).

IMPORTANT: Use caution when hovering over the link to avoid clicking on it. 

How to report

There are two ways to report improper use of an account to DocuSign. You can do so  by using the Report this email link at the bottom of your email (Figure 1), or by sending an email to SecurityAccountAbuse@docusign.com.

Clicking on the link takes you to our Report Abuse form where you can report various types of abuse, including fraud/illegal activity. 

Figure 1

Figure 2

Selecting “I believe this is fraudulent or contains illegal content” from the Report Abuse form (Figure 2) and the “DocuSign may contact me to request additional information” box, could prompt you to receive a DocuSign envelope containing a Request for Allegation Details questionnaire from IU_DSFraud@docusign.com. This form is used to gather critical details needed to investigate the alleged activity, as shown below.

To report via email send to SecurityAccountAbuse@docusign.com with as much of the following information as possible:

  • Your full name and contact information
  • Envelope ID or security code
  • Supporting documents (attachments, screenshots, forms, etc.)
  • Customer/sender name (business/individual) and email address
  • Any other known customer/sender identifiers (e.g. physical address, phone number, etc.)
  • Thorough description of what happened
  • Other pertinent information

DocuSign doesn't access envelope contents, even if authorized by the customer or recipient/complainant. Supporting evidence is often necessary to assess the severity of the violation and further substantiates the allegation details provided.

What not to report as improper use of DocuSign

Misaddressed email notifications

A misaddressed email is not a clear indication of fraudulent activity. If you receive an envelope email notification in error, follow the Decline to sign instructions. Gmail users, visit the Gmail Help Center for more information on why you may be receiving wayward envelopes.

Imitation DocuSign email notification (non-customer activity)

Do not report imitation DocuSign emails including spoof or look-alike, as improper use of DocuSign. Scammers may create look-alike email addresses/domains (e.g., docu-sign.com, docus1gn.com, docusigh.com, etc.) in an attempt to impersonate DocuSign emails. 

Unwanted emails or excessive reminders

If you are receiving unwanted DocuSign emails,report them using the appropriate reason selection in the Report Abuse form shown above in Figure 2.

What information is collected and why

DocuSign collects critical details about the activity to effectively investigate and mitigate fraud on our platform. The information helps identify the account holder, related envelope activity and serves as evidence supporting any necessary actions, such as closing an offending account.

We request::

  • Complainants full name and contact information
  • Envelope ID or security code
  • Envelope ID is located in the top right corner of each page in the document (format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)
  • Attachments, screenshots, and forms
  • Customer or business name and email address
  • Any known identifiers not included in the envelope email (e.g. physical address, phone number)
  • Any other information you deem pertinent

Trends, tactics, activity and themes

Based on some themes our fraud team at DocuSign has observed, here are some trends to watch out for:

  • Too good to be true prices or offers
  • Site unseen rentals or sales
  • Tech support (pop-ups) or subscription renewal claiming affiliation to a well known company
  • Loan offer or debt relief requiring up front fees
  • Sense of urgency, harassment, or threatening tactics
  • Job offers from businesses with little to no public information
  • Economic or hardship leveraging opportunities (e.g. pandemic, investment)

Be cautious of the following types of activity and themes:

  • Impersonation of an individual, business, financial institution, government or other organization
  • Elder exploitation
  • False affiliation claims
  • Improper solicitation of personally identifiable information (PII). Examples of PII include:
    • SSN or other national identification number
    • Date of Birth
    • Bank account number
    • Credit card number
    • Telephone number
    • Medical record number
  • Phishing/malware
  • Pyramid schemes
  • Prolific scams (employment, investment, lending, real estate, sales, tech support, travel, debt relief, etc.)

Follow-up report

How to provide more information

To provide additional information for a previously filed complaint, send an email to SecurityAccountAbuse@docusign.com. To ensure new information is linked to the original report, include a mention of the original report, the Envelope ID/security code (if known), your full name and email address.

Investigation status and updates

Our Terms & Conditions restrict us from disclosing user data. This means we do not respond to complainants with investigation status or outcomes.

Fraud specific alerts

Phishing campaign

Additional resources

DocuSign

Report crimes

DocuSign will not contact law enforcement on behalf of a potential victim. If you believe a crime was committed, report it to the appropriate authorities. Review the links below for some larger government agencies you should report to in addition to local law enforcement. If you are unsure, contact your local authorities for additional guidance.

United States (US)

Internet fraud or cyber crime Internet Crime Complaint Center (IC3)
Scams, fraudulent businesses or unwanted calls Federal Trade Commission (FTC)
Identity theft (visit the Identity Theft webpage for more information) FTC ID Theft

Non-US

International scams eConsumer.gov
Fraud and cyber crimes ActionFraud
Financial fraud scams (unauthorized firm or individual) Financial Conduct Authority (FCA)