PayPal scammers are utilizing a clever Docusign tactic to increase the credibility of their phishing emails.
Malwarebytes Labs investigates the scam, revealing that the Docusign Application Programming Interface (API) enables users to send emails that appear to originate from legitimate Docusign accounts. These scammers can also leverage templates to impersonate well-known companies.
To execute this scheme, phishers create a Docusign account and use its templates to send convincing invoices appearing to be from PayPal. Victims may receive notifications about an ‘unauthorized’ transaction, along with a phone number to contact for account protection and refund processing.
Although the emails are sent via Docusign, allowing them to bypass many security filters, several warning signs reveal the deception. For example, the use of Gmail addresses for the PayPal customer service contact is a major red flag.
Malwarebytes notes, “It’s also peculiar that Docusign is used to send a document that does not require a signature.”
Docusign states that its team actively investigates and closes suspicious accounts within 24 hours of detection or reporting. When such accounts are flagged, most have already been identified by Docusign’s systems and are either under investigation or have been closed. Once an account is shut down, all envelopes sent from it become inaccessible to both senders and recipients.