Scammers Fake Docusign Templates to Blackmail & Steal From Companies

Cybercriminals are trafficking Docusign assets that allow for easy extortion and business email compromise.

Phishing emails mimicking Docusign are rising, thanks to a thriving underground marketplace for fake templates and login credentials.
Over the past month, researchers from Abnormal Security claim to have tracked a
significant increase in phishing attacks
designed to mimic legitimate Docusign requests. A quick trip down the rabbit hole took them to a Russian cybercrime forum, where sellers peddled a variety of templates resembling authentic emails and documents.
The markets leading document-signing software has long provided
fertile grounds for phishermen
. Its popularity helps, and that its often used to store and transfer valuable documents with sensitive data. Docusign emails tend to be generic, making them
a cinch to forge
, with a big, yellow button beckoning users to click before they think twice about it.
Everybodys been conditioned — especially after some time in the workplace — that Docusign links look a certain way, explains Mike Britton, CISO of Abnormal Security. Its got the blue background, the Docusign logo, that [characteristic] look and feel. In any given week I probably deal with half a dozen different things that I have to sign for Docusign — whether its from a vendor, a partner, whatever — Im kind of conditioned to see it, click it, and kind of go into autopilot.
To achieve that perfect look and feel necessary to lull victims into autopilot, an attacker might take the time to craft legitimate-looking Docusign email and document templates from scratch. Amateur, lazy, overworked, or simply logical and efficient hackers might instead purchase ready-made malicious ones from online marketplaces. After all, Britton says, the cost of a fresh template for Docusign, Amazon, PayPal, and more run as little as US $10.
With such a cheap resource in hand, attackers can craft phishing emails that trick employees of targeted organizations in any number of ways. They can send fake documents with prompts for users to enter their personally identifying information (PII), for example, or they can redirect users to fake login pages for submitting their real Docusign login credentials. Then they can leverage the data they obtain or, more likely, sell it on to the next buyer in the food chain.
As Britton says, Were long gone from the days where cybercriminals own the entire lifecycle [of an attack]. Now, if I want to go attack 10,000 victims and steal money from them, Im just going to go buy credentials, [and] buy access — the necessary assets to shortcut it.
So besides email and document templates, theres also a thriving market for the login credentials that phishers glean. And here is where the attacks start to get ugly.
With cheap login credentials, hackers can probe employees Docusign histories for all the sensitive documentation theyve engaged with in recent months. They can use information from employer contracts, vendor agreements, and payment information as fodder for blackmail in extortion attacks, or they can sell it to attackers even further down the line. They can also use it to identify new, higher-value targets, and impersonate specific individuals at a company or partner company.
For example, an attacker can time out a request for remittance around the time a company typically pays its vendor every month. Using information from a compromised employees Docusign history, they can impersonate a direct superior, or a vendor finance departments point person, and attach specific, real documents to the email for reference.
To prevent this, or any number of other potential worst-case scenarios, Abnormal Security recommends that employees always look out for suspicious email sender and link addresses, impersonal email greetings, and uncharacteristically short Docusign security codes, and open documents directly from the companys website rather than via email. And, finally, dont open documents youre not expecting.
Everybodys busy, Britton acknowledges. Whether youre in the office, or a hybrid work environment where youve got personal life coming at you, the safest bet is to just pick up the phone and say: Hey, I just got this email from you. Is it legit?

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Scammers Fake Docusign Templates to Blackmail & Steal From Companies