Cybersecurity researchers have identified a growing trend where cybercriminals exploit DocuSign APIs to send convincing fake invoices. Unlike traditional phishing scams that rely on spoofed emails with malicious links, these attacks use genuine DocuSign accounts and templates to mimic reputable brands, often slipping past security filters and misleading users into authorizing payments.
Beyond Traditional Phishing Tactics
While phishing often involves emails mimicking trusted brands to steal sensitive data, these new attacks leverage trusted services directly. According to Wallarm, attackers have been observed creating legitimate DocuSign accounts and customizing templates to resemble requests from well-known companies like Norton Antivirus.
Using the e-signature service, DocuSign allows fraudsters to circumvent detection, as emails sent from DocuSign’s platform appear legitimate to email filters, with no harmful links or attachments.
Attackers set up paid DocuSign accounts, enabling them to use authentic templates and brand logos to request document signatures from victims. Many of these fraudulent invoices include accurate product pricing and realistic fees to make them appear genuine. Once victims sign, attackers may request direct payment from organizations or finance departments.
Read more on safeguarding against API-based threats: How to Address Shortcomings in API Security
Over the last five months, DocuSign community forums have seen a surge in user reports describing these fraudulent activities. The consistency of these cases suggests a highly automated approach, allowing attackers to send out large volumes of invoices with minimal manual effort.
By accessing DocuSign’s APIs, particularly the Envelopes: create API, cybercriminals can scale operations quickly and target multiple organizations at once.
API Exploitation and Security Measures
Wallarm warned how DocuSign’s API-friendly design, though advantageous for businesses, creates vulnerabilities for abuse by malicious actors.
To counter these threats, Wallarm security experts recommended organizations take the following steps:
-
Verify sender credentials: Double-check sender details, especially if emails look suspicious
-
Require internal approvals: Implement multi-step authorization for financial transactions
-
Educate employees: Raise awareness about scams involving authentic-looking invoices
-
Monitor for anomalies: Watch for unexpected charges or invoice requests
For service providers, Wallarm advised regular threat modeling, enforcing API rate limits and monitoring API activity for unusual patterns.