Branddocs

DocuSign Phishing

For more information: +1 646 722-7417 or write us
SEND

How to report phishing incidents to DocuSign

Occasionally alerts are reported to the DocuSign Trust Center and social networks related to phishing emails sent to users in DocuSign’s name.

The emails falsify DocuSign’s brand and it is an attempt to deceive the recipients, they attach documents that by clicking them install malicious software.

As part of DocuSign’s response to phishing incidents, the signature service, envelopes and client’s documents are confirmed as secure.

Nevertheless, on Monday, May 15th it was detected that a malicious third party obtained temporary access to a secondary system, used for service announcements.

A full analysis confirmed that it only accessed email addresses. No names, physical addresses, passwords, social security numbers, credit card numbers nor any other type of information was obtained. Access to content or documents sent by clients through DocuSign’s eSignature system were not compromised. DocuSign’s electronic signature core, envelopes, documents and client data remained secure at all times.

Additionally, it was confirmed that only persons with a DocuSign account were affected by the incident. In other words, signers that do not have a DocuSign account were not on the list of email addresses that were maliciously accessed.

From then on, DocuSign has taken immediate measures to prohibit the unauthorized access to the system, security controls have been reinforced, and is working with the authorities.

Recommendations

As a trust mark and to protect it against any phishing incident, we recommend taking the following measures to guarantee the security of your email and systems:
  • Eliminate the emails with the subject “Finalized: [domain name] – bank transfer for [recipient name] Document ready for signature” or “Completed [domain name/email address] – Invoice [Number] Document ready for signature”. These emails are not from DocuSign: they were sent by a malicious third party and contain a malware link.
  • Resend the suspicious emails to DocuSign at spam@docusign.com and, delete them from your computer. Be wary of emails from unknown senders, unexpected signature requests for documents, grammatical errors (such as “docusgn.com” without and “i” or @docus.com), with attachments or direct you to a link that starts with anything buthttp://www.docusign.com/ or https://www.docusign.net/
  • Make sure that your antivirus is active and updated.
  • Review our whitepaper about phishing and share it with your company:
VIEW DOCUMENT
Once more, your trust and the security of your transactions, documents and data is the top priority at DocuSign. The DocuSign signature system remains secure, you and your clients can continue to do business with DocuSign with complete confidence.


To obtain more information, visit the DocuSign Trust Center, where any information on the matter will be published.

Furthermore, we are including frequently asked questions (FAQs) on the incident, which will answer some additional questions, including the confirmation that only DocuSign users were affected.

Frequently Asked Questions

What really happened?
  • Several weeks ago, DocuSign detected an increase in phishing emails sent to some clients and users, as a result of this an alert was published in DocuSign’s Trust Center and social media.
  • The emails falsified DocuSign’s brand in an attempt to deceive recipients for them to open the Word attachment, by clicking on it installing the malicious software.
  • As part of its management of phishing incidents, DocuSign confirmed that the eSignature service, the envelopes and client documents remained secure.
  • Nevertheless, on May 15th, it was confirmed that a malicious third party gained temporary access to a secondary system, not a central one, used for ads related to the service.
  • A complete analysis confirmed that the only thing obtained were emails. No names, physical addresses, passwords, social security numbers, credit cards or other information were obtained. No access was gained to content nor client documents sent through the DocuSign eSignature system. DocuSign’s digital signature core service the envelopes, documents and client data remained secure.
Are all my envelopes and DocuSign data secure?
As part of the phishing incident response process, it was confirmed that the eSignature service, envelopes and client documents remained secure.
Was my DocuSign instance affected?
There is no evidence that any instance of DocuSign was affected. As part of the phishing incident response process, DocuSign confirmed that the eSignature service, the envelopes, client documents within DocuSign remained secure.
What information was affected?
It was a list of stored emails in the secondary system used for announcements related to the service.
Is it possible that they accessed my clients or their email addresses?
Yes, it is possible that your clients were on the affected list. It is recommended to use the existing materials in the DocuSign Trust Center to help clients victims of phishing.
And my staff emails?
Yes, it is possible that they were accessed as well.
How many people were affected? How many email addresses were implicated?
At this time, the results are still being analysed. The investigation is ongoing and the details cannot be commented.
What systems were affected?
As part of the ongoing investigation, we confirm that a malicious third party gained temporary access to a secondary system used for service announcements.
Why did we find out through social media?
DocuSign communicated actively through the Trust Center, when it discovered for the first time the increase in phishing emails of clients and users. On May 15th it was confirmed that they continued to increase. It was updated both in the Trust Center as well as the website, published also on social networks and direct communication.
Is there more information affected than just my email?
A full analysis confirmed that only emails were accessed: names, physical addresses, passwords, social security numbers, credit card numbers or other information did not suffer damages. No access was compromised to the content of documents sent through the DocuSign eSignature system. The DocuSign eSignature core service, envelopes, documents and client data remained secure.
How are you sure that it was only my email?
A complete analysis confirmed that only email addresses were accessed: names, physical addresses, passwords, social security numbers, credit card numbers and other information was not compromised. Access to document content sent through DocuSign’s eSignature system, the service core: envelopes, document and data all remained secure.
What should I do?
The following steps are recommended to guarantee the security of your email and systems:
  • Eliminate the emails with the subject “Finalized: [domain name] – bank transfer for [recipient name] Document ready for signature” or “Completed [domain name/email address] – Invoice [Number] Document ready for signature”. These emails are not from DocuSign: they were sent by a malicious third party and contain a malware link.
  • Resend the suspicious emails to DocuSign at spam@docusign.com and, delete them from your computer. Be weary of emails from unknown senders, unexpected signature requests for documents, grammatical errors (such as “docusgn.com” without and “i” or @docus.com), with attachments or direct you to a link that starts with anything but http://www.docusign.com/ or https://www.docusign.net/
  • Make sure that your antivirus is active and updated.
  • Review our whitepaper about phishing and share it with your company: https://trust.docusign.com/static/downloads/Combating_Phishing_WP_05082017.pdf
What measures has DocuSign taken to solve this problem?
Immediate measures were taken to prohibit unauthorized access to the system. Security controls were reinforced and DocuSign is working with the authorities.
Is this related to the global ransomware attack that took place on May 12th?
No.
Were the emails of my staff, clients, or clients’ clients implicated in this incident?
Thanks to the investigation, we were able to confirm that the signers without a DocuSign account were not on the list of emails that were maliciously accessed. In other words, direct DocuSign clients could see themselves affected: clients that signed a document and opted to open a DocuSign account or clients that registered for a freemium account through docusign.com, integration or DocuSign mobile.
Do I need to communicate with all of them?
We recommend that you utilize the existing materials in DocuSign’s Trust Center to help staff, clients or client’s clients to protect against phishing attacks.
For more information in Spanish, write us at soporte@brand-docs.com