PayPal scammers are using an old Docusign trick to enhance the trustworthiness of their phishing emails.
We’ve received several reports of this recently, so we dug into how the scam works.
The Docusign Application Programming Interface (API) allows “customers” to send emails that come from genuine Docusign accounts, and they can use templates to impersonate reputable companies.
To pull this off, the phishers set up a Docusign account and then use the templates provided by Docusign to send out legitimate looking invoices from PayPal.
Because the emails come from Docusign they can bypass many security filters.
This is an example of how these emails reach the targets.
We’ve identified an unauthorized transaction made from your PayPal account to Coinbase:
Amount: $755.38
Transaction ID: PP-5284440To safeguard your account and process an immediate refund, you must contact our Fraud Prevention Team at:
+1 (866) 379-5160Our representatives are available 24/7 to assist you in resolving this issue and preventing any additional unauthorized activity.
Your account’s security is our top priority, and we’re fully committed to helping you address this matter swiftly. We appreciate your immediate attention to this alert.
If you know this is a scam, you’ll likely see some red flags. The “From” address is a Gmail address which seems unlikely to be something that the genuine PayPal Customer Care department would use. Also, it seems weird that Docusign has been used to send a document that doesn’t require a signature.
Looking deeper, there are some more red flags. The “To” address does not belong to the receiver. It doesn’t even exist.
We tried to contact the scammer through WhatsApp, the Gmail address, and by phone, but didn’t get any replies.
I’ve you’ve received an email like this and want to verify if it’s genuine, go directly to Docusign.com, click ‘Access Documents’ (upper right-hand corner), and enter the security code displayed in the email. If you get an error message, that means the document was removed or never even existed. That’s a huge red flag.
What can I do?
If you see an unauthorized PayPal payment linked to a Docusign activity, and you suspect it’s fraudulent, you should immediately report it to both PayPal and Docusign. Contact their customer service departments and using their respective reporting features, as these platforms can be used by scammers to make unauthorized charges under the guise of a legitimate document signing process.
If you think you are the victim of this type of phishing:
- Check your PayPal account: Log in to your PayPal account and review your recent transactions to search for and identify the suspicious payment.
- Report the incident to PayPal: To confirm an unauthorized payment, go to the PayPal Resolution Center and report the transaction as fraudulent.
- If you believe your PayPal account has been compromised, contact any bank for which an account is linked to your PayPal account to check for and report potential fraudulent activity.
- Check your Docusign account: Review if there has been any recent activity to see if there are any suspicious documents or signatures you don’t recognize.
- Report to Docusign: You can report suspicious activity through its “Report Abuse” feature or by contacting its security team directly.
Docusign says its team investigates and closes suspicious accounts within 24 hours of the activity being detected or reported. When suspicious accounts are reported, the vast majority of those accounts have already been detected by Docusign’s systems and are either under investigation or have already been closed. Once an account is closed, all envelopes sent from the account are no longer accessible by the recipient or sender.
Key points to remember:
- Never click on suspicious links in unsolicited emails.
- Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
- Go directly to the DocuSign site (not following links in the email or sponsored search results) to check if the document actually exists.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
