Cybercriminals are now using DocuSign’s Envelopes API to send fake invoices that look legitimate, bypassing usual email security checks.
What happened
In recent months, cybercriminals have found ways to misuse DocuSign’s Envelopes API to distribute fake invoices that mimic legitimate companies like Norton and PayPal. These fraudulent invoices look credible because they come from the official DocuSign domain, docusign.net, allowing attackers to bypass traditional email security. The goal is to trick recipients into signing these fake invoices, which can authorize unauthorized payments and bypass standard billing oversight.
Going deeper
DocuSign’s Envelopes API is typically used by businesses to automate the document signing process, but attackers exploit it to send realistic invoices that impersonate well-known brands. Cybersecurity firm Wallarm found that attackers use paid DocuSign accounts to send convincing fake invoices. Using the ‘Envelopes: create’ API function, they can distribute large volumes of these fraudulent documents, increasing the likelihood of success.
The scammers list realistic amounts on these fake invoices to appear more legitimate. This strategy is designed to make recipients less suspicious, encouraging them to sign without double-checking the details.
What was said
Wallarm’s findings have drawn attention to the misuse of DocuSign’s platform. Many users report receiving multiple phishing emails from the docusign.net domain weekly, and standard reporting methods seem ineffective.
One frustrated user shared, “I’m suddenly getting 3-5 phishing emails a week from the docusign.net domain, and none of the standard reporting email addresses seem to work.” These attacks' volume and automated nature indicate an organized effort to exploit the platform. Cybersecurity experts have contacted DocuSign for more details on their anti-abuse measures, but the company has offered limited specifics on their strategies.
In the know
DocuSign isn’t the only platform targeted in these schemes—cybercriminals are also misusing email and payment platforms like PayPal to send convincing fake invoices and unauthorized billing requests. By using widely trusted services, attackers enhance the legitimacy of their attempts, often bypassing typical security checks and increasing the risk of successful fraud.
Why it matters
This misuse of DocuSign poses serious risks to the integrity of electronic transactions. With more businesses relying on digital signatures for contracts and payment authorizations, fraudulent activity through platforms like DocuSign could lead to financial and reputational damage.
FAQs
What makes these fake invoices so convincing?
The emails appear legitimate because they come from DocuSign’s verified domain, docusign.net, and mimic the style of well-known brands.
How can organizations protect themselves?
To reduce risk, companies should verify the authenticity of any document requiring a signature, especially those from unexpected sources, and consider additional email security to detect phishing.
Is DocuSign addressing this issue?
DocuSign has been contacted about their anti-abuse measures, though specific actions remain unclear. They are expected to continue updating their security to counter these changing threats.
Farah Amod
