How DocuSign Users Can Spot, Avoid and Report Fraud

At DocuSign, customers trust us with their most sensitive data and we’re strongly committed to protecting it. To this end, we’ve implemented policies, standards, processes and training to ensure we continue to meet or exceed the highest international security standards. But during a time when online crimes are increasing, no company is entirely immune from fraud. Bad players are impersonating many respected brands to steal data or other sensitive information. Preventing them from doing so is a team effort among corporations and consumers.

Here are some tips on how to protect your data online.

How to spot fraud

Newly released Federal Trade Commission data shows that consumers lost nearly $6 billion to fraud in 2021–a year-over-year increase of more than 70 percent. By learning how to detect fraud, you can avoid becoming yet another victim of this rapidly growing trend.

In the past, fraudsters have attempted to impersonate DocuSign in emails and texts. They have also signed up for legitimate DocuSign accounts and used our services to appear reputable when sending documents to victims.

Here are some ways to tell whether a purported DocuSign email you’ve received is fraudulent.

1. The sender’s address is suspicious. Check the “from” tab to ensure the email originated from DocuSign.com or DocuSign.net.
2. It contains an attachment. DocuSign emails that request you to sign a document never contain attachments of any kind.
3. Generic greetings. Many fake emails begin with a generic greeting like “Dear DocuSign Customer.” If you don’t see your name in the salutation, it should raise a mental alarm.
4. False sense of urgency. Many fake emails try to deceive you with the threat that your account is in jeopardy if you don’t provide immediate updates. They may also state that unauthorised transactions have occurred on your account or that DocuSign needs to update your information immediately.
5. Misspellings and bad grammar. While no one is perfect, fake emails often contain misspellings, incorrect grammar, missing words and gaps in logic. Mistakes like this help fraudsters avoid spam filters.
6. Unsafe sites. The term "https" should always precede any website address where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure Web session.
7. Pop-up boxes. DocuSign never uses a pop-up box in an email, because pop-ups aren’t secure.

How to avoid fraud and phishing

Phishing is among the most prevalent and sophisticated fraud techniques. It is used by attackers to trick individuals into divulging personal information—such as login credentials—or to launch malware to steal broader sets of data stored on their computers or connected networks. A phishing email typically is an imitation of an email from a trusted source, duping recipients into opening the email and clicking on enclosed attachments or links. 

Read our paper Combating Phishing to learn more.

How to report fraud

Nearly three million fraud claims were reported in the U.S. last year and although it’s troubling to think of all those who have been victimised, the statistic also underscores the importance of fighting back against cyber criminals. 

Docusign’s customers play a critical role in detecting and fending off cybersecurity threats. If you believe you’ve been targeted, you can report the suspected fraud to DocuSign’s dedicated reporting channels based on the type of threat:

1. DocuSign-themed imitation emails and websites: If you think that you’ve received an imitation email purporting to come from DocuSign, forward the entire email as an attachment to spam@docusign.com and delete it immediately. If you identify a website imitation of DocuSign, please copy and paste the URL into an email to spam@docusign.com for investigation.
2. Improper use of DocuSign: If you think that you’ve received an email from a DocuSign user who is abusing their DocuSign account, please report directly using the ‘Report this email’ link in the bottom portion of the email notification or forward the entire email to securityaccountabuse@docusign.com with your name, contact information, envelope ID (if known), evidence of the purported wrongdoing, sender’s name, sender’s email address and other important details
3. Other security incidents and DocuSign-themed threats for investigation: New cybersecurity threats occur all the time. To support DocuSign information security and threat intelligence, please report security incidents and DocuSign platform threats to security@docusign.com for investigation.

To learn more about how DocuSign is striving to keep your information safe and secure, visit our Trust Center.