Phishing: Attackers Use E‑Signature Software to Send Emails with Malicious Links

OneSpan Team,

Signing agreements electronically saves time and makes it easier for businesses to close sales contracts, open bank accounts, and apply for insurance without the need to meet face-to-face. But some electronic signature services can also come with unexpected risks.

A number of cybersecurity groups and experts have issued warnings about e-signature scams and phishing attempts using DocuSign to electronically sign documents. In fact, data from Atlas VPN found that DocuSign is among the most commonly used brands in phishing attacks in 2021 and represented over 12% of branded attacks that year.

An article from Security Intelligence entitled Phishing: Attackers Use DocuSign to Send Malicious Links explains how the attack functions. It involves cybercriminals who either register for a free DocuSign account or takeover someone else's account and upload a malicious file that then masquerades as a legitimate DocuSign envelope.   

If these types of spoofing techniques end up reaching your end customers, it could lead to malware downloads (such as ransomware) and hackers exploiting the customers’ identity and personal information.

In this blog, we review the strategy behind phishing scams and how a security-conscious e-signature solution can help prevent these kinds of attacks.

Why Cybercriminals Use DocuSign Phishing Scams

The rise of phishing scams is tied to the increased use of e-signatures to support remote work environments created by the COVID-19 pandemic. Scammers launch phishing attacks that are designed to mimic emails from recognized brands such as DocuSign. Software providers like DocuSign are under constant attack by scammers (2017, 2018, 2019, 2020, 2021), who send fake emails from the vendor’s e-signature service. DocuSign is a prime target for malicious and voluminous phishing attacks because of the widespread use of its brand across its e-signature service and email notifications.

Phishing continues to be one of the most common and successful social engineering schemes globally, with no sign of slowing down. Phishing tricks people into clicking malicious links to download malware or provide confidential information to criminals. The rise of web service impersonation attacks, a type of phishing attack using a recognized brand, involves fake websites and emails that prompt people to login and unknowingly give up their credentials to criminals. With the stolen credentials, hackers can then login to other services. Because people have a habit of reusing the same login credentials across many online accounts, bad actors can run an automated program to test credentials against any number of web services and when successful, use them to impersonate the victim and steal funds or information.

Scammers and phishers are opportunistic and will adapt to current events and seasonal business activity, ranging from coronavirus phishing emails to income tax scams. One tactic is to mask malware with something as routine as an invoice or shipping notice. According to a Threat Report from eSentire Threat Intelligence, having Facebook credentials compromised will impact your personal life more than anything; but “theft of DocuSign or Dropbox credentials could have serious impact on a business.” When credentials are re-used for multiple accounts in an organization, compromise of those credentials can have even more severe implications.

Inside an E-Signature Phishing Scam

Here’s what a typical phishing campaign looks like. An attacker sends an e-signature “envelope” to their target. The recipient receives an email inviting them to review and sign a document. Under normal circumstances, the recipient would simply click the “review document” link and e-sign the document. In a phishing attack however, the email contains links to a website (phishing site) that would request the recipient to enter personal and financial information, or link to a malicious document, which, if run, would download malware onto the recipient’s computer. If the recipient falls for the scam, the attacker could use this information to access their bank account, credit card portals, and other online services.

4 Ways to Defend Against E-Signature Phishing Attacks

1. Protect Your Brand & Customers Against Phishing Emails

DocuSign’s business model relies on a DocuSign branding push using e-signature notification emails that puts its customers and their end-customers at risk to malicious attacks such as reported phishing scams. That’s why it’s important to choose a solution that enables your organization to fully white-label the signing experience so that your brand is front and center at all times.

White labeling is the #1 thing you can do to protect your brand, build trust with your signers, and achieve the highest completion rates. Growing awareness of deceitful phishing tactics – as well as the increase in programs educating people on email security – will dissuade recipients from trusting emails from third-party brands. If someone is expecting an e-signature invitation from their bank or insurance company, chances are they will more quickly delete such an email invitation if it comes from a service provider's email domain instead.

This is why it’s so important to fully brand the look-and-feel of email notifications and integrate the e-signature service with your email servers to allow emails to be sent from your domain (e.g., instead of the e-signature service’s domain. At OneSpan, we embrace this philosophy and it’s a key reason why our OneSpan Sign solution is trusted by some of the most security-conscious brands in the world.

White-labeling tips to help prevent phishing attacks:

  • Integrate the e-signature tool with your own email servers to allow emails to be sent from your domain (e.g.,
  • Customize the content and look-and-feel of email notifications
  • Customize the colors, logo and the visibility of elements such as headers, navigation bars, footers, etc.
  • Customize dialog boxes and error messages


2. Add Enhanced Authentication to Secure Access to Your Agreements

In addition to white labeling, businesses should never overlook security measures such as ID verification and authentication. According to Microsoft, multi-factor authentication can “prevent 99. 9% of attacks on your accounts” and is one of the top ways that security teams and experts protect themselves online. When it comes to phishing, using strong authentication methods is a more powerful deterrent than single-factor email authentication alone.

OneSpan Sign offers a range of ID verification and authentication options to protect your high-value agreements, so you can get documents electronically signed with confidence. You have the flexibility to choose the level of security you need. We help ensure your agreements are safely accessed and signed only by the individuals they’re intended for, with options including SMS, Q&A, knowledge-based authentication (KBA), and government ID document checks.

3. Flatten Documents to Combat Overlay Attacks

Another type of attack worth mentioning is a “shadow attack”. Shadow attacks involve fraudsters preparing a malicious PDF document containing invisible content. This type of attack typically exploits vulnerabilities in PDF viewers and how content is displayed in documents before they are e-signed. This undermines the security of the digital agreement process.

PDFs often contain multiple layers with different content on each one. “Flattening” an uploaded document before it is sent for signing is one method to deter such a threat. OneSpan Sign, for example, strips out any dynamic content from the document before it is processed and a signature-ready agreement is prepared for signing. As a result, any form-field used as a vehicle to replace content using an overlay link is removed from the document and the attack is automatically neutralized. This is an added layer of security in our approach that helps safeguard the trustworthiness of electronic signatures while preserving a seamless signing experience.

4. Educate Employees on How to Spot a Phishing Email

Raise awareness among your employees that scammers are increasingly sending phishing links through emails that appear to come from DocuSign. Let them know there are two key warning signs that the e-signature request is a scam:

  • They are not expecting any documents to sign. If a business partner wants one of your employees to sign an agreement, it’s common practice for them to contact the employee first and let them know that a signature request is on its way. If an employee is not expecting the request to sign a document, advise them to report the email as a phishing scam and delete it. They should not click any hyperlinks or attachments.
  • They notice an unusual sender or email domain. If an employee receives an unexpected e-signature request, they should always check the sender’s email domain. If the email isn’t coming from a legitimate business partner’s domain, it’s likely a scam.

In addition, be aware that typos, misspellings, and grammar mistakes in the subject line or email body are also common indicators that the email could be a phishing scam. Phishing emails may also use generic greetings since they are often used over and over, or mass emailed to a list of unsuspecting victims. 

Will LaSala, Field CTO at OneSpan, explains how organizations can better prepare their teams to identify phishing attempts:

"To protect against these types of attacks, proper email hygiene needs to be enforced. Organizations should consistently remind employees to not open attachments or click on links contained in emails, especially from unknown sources."

"Proper MFA, including secure push authentication, FIDO, and secure transaction authentication should always be leveraged to protect against these style attacks; however, as we see in this attack, MFA is not just enough to solve this problem on its own. Transaction technologies like secure messaging, and transaction authentication with what you see is what you sign, continuous risk analytics, and electronic document signing with secure tamper-evidence auditing will help protect against these attacks."

Building Digital Trust with Employees & Customers

The pandemic and the paradigm shift to a remote-based lifestyle proves just how vital electronic and digital signatures are for our lives, but a rising risk of fraud accompanies the increased use of digital technologies and channels. It’s likely that some of your employees and customers will be tricked into clicking on seemingly legitimate e-signature requests, entering their email credentials and handing them over to the bad actors.

Issues around e-signature phishing attacks are an excellent example of the importance of protecting your digital agreement processes. In all areas of our business, OneSpan is focused on enabling secure digital agreements and customer experiences. Review the capabilities of your electronic signature solution to ensure they include countermeasures like white labeling, strong authentication options, and document flattening to ensure your signers are protected against avoidable e-signature phishing scams.

Direct to Consumer Car Insurance
Case Study

Direct-to-Consumer Car Insurance

Insurer sees 23% higher form completions after replacing DocuSign

Download PDF

The OneSpan Team is dedicated to delivering the best content to help you secure tomorrow's potential. From blogs to white papers, ebooks, webinars, and more, our content will help you make informed decisions related to cybersecurity and digital agreements.