DocuSign phishing scams surged by 98%, with hundreds of daily attacks impersonating US government agencies like HHS and MDOT, exploiting trust for data theft.
Cybersecurity researchers at SlashNext’s threat research team have reported a 98% increase in DocuSign phishing URLs from November 8 to November 14, compared to the combined totals of September and October 2024.
In the past week alone, SlashNext’s threat analysts have detected hundreds of these phishing attempts daily, with many impersonating government entities.
Modus Operandi
The attacks begin when a business receives what appears to be a legitimate DocuSign request from a government agency. These phishing URLs are crafted to mimic official communications, using genuine DocuSign accounts and APIs to appear authentic.
For instance, a contractor might receive a DocuSign notification that looks like it’s from the Department of Health and Human Services or the Maryland Department of Transportation. Once a targeted individual opens the malicious document, they are asked to provide sensitive information or authorize fraudulent transactions.
Because the requests appear official, recipients are more likely to comply without thorough verification, compromising their company’s security. Earlier this month, SlashNext also issued a warning about a similar phishing attack exploiting the legitimate DocuSign API to bypass spam filters and target users with fake invoices.
According to SlashNext’s report, shared with Hackread.com ahead of its publication on Monday, U.S. citizens, government institutions, and municipal offices are the primary targets of these attacks. The full list of institutions impersonated so far includes the following:
- The North Carolina Electronic Vendor Portal (eVP)
- The Maryland Department of Transportation (MDOT)
- City authorities from Milwaukee, Charlotte, and Houston
- United States Department of Health and Human Services (HHS)
By mimicking official government communications, cybercriminals can trick even well-informed organizations into taking harmful actions. Experts recommend that businesses implement multi-layered security strategies. Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) stated,
“This is an example of where we cannot blame the victim for being susceptible to social engineering. The victim is following the process they have been trained and expected to follow.“ “The flaw is that the victim has been given no way to verify the source of the request. It’s essentially a break in trust. This flaw will require a rethink on how to provide signature requests and it will likely mean some kind of strong authentication method,“ he warned.
