Cybersecurity firm SlashNext has issued a warning about a surge in malicious DocuSign phishing links, with attackers deploying hundreds of new instances daily. These links appear legitimate and are being used to target businesses with fake documentation, such as licensing renewals, compliance demands, and contract modifications.
Between November 8 and 14, the number of observed phishing attempts was 98% higher than those recorded during September and October combined. SlashNext reports that attackers are impersonating government agencies, commercial contractors, and municipal projects to deceive victims.
“These attacks pose a dual threat for contractors and vendors—immediate financial loss and potential business disruption,” the report states. Fraudulent signatures can trigger unauthorized payments and create confusion around licensing status, leading to delays in bidding for new projects or maintaining existing contracts.
DocuSign, a trusted electronic signature platform, is being exploited in these scams. Attackers use legitimate DocuSign accounts and APIs to create realistic phishing templates. A typical attack involves an urgent and seemingly authentic request. For instance, a North Carolina contractor received a fake notification from the state licensing board, warning of an $85,000 “emergency compliance bond” required to avoid the shutdown of a $12 million hospital project. Similarly, a Milwaukee contractor was tricked into signing a document related to a $2.8 million renovation project, resulting in an unauthorized charge of $175,000.
These sophisticated scams exploit trusted relationships, timing their attacks to align with predictable licensing cycles and using industry-specific terminology to enhance credibility. Cybercriminals also bypass traditional email security measures by leveraging legitimate DocuSign infrastructure.
This tactic isn’t new; attackers have previously used DocuSign to distribute phishing links or send fake invoices impersonating brands like Norton and PayPal. Organizations are urged to prioritize ongoing security awareness training, emphasizing the importance of verifying requests before acting, especially under time pressure.
DocuSign has acknowledged the issue and stated that it employs technical measures and dedicated teams to combat misuse of its platform. However, businesses must remain vigilant to protect themselves from these evolving threats.