A rise in sophisticated phishing attacks leveraging DocuSign impersonations to target businesses interacting with state and municipal agencies has been uncovered by threat researchers.
Since November 8, these attacks have spiked by 98% compared to activity recorded in September and October. According to SlashNext, hundreds of instances are now detected daily, with the tactics evolving rapidly to outpace detection methods.
These campaigns exploit the trusted relationship between businesses and regulatory authorities. Attackers impersonate entities like the Department of Health and Human Services, the Maryland Department of Transportation and the City of Milwaukee, among others, using legitimate DocuSign accounts and APIs to craft convincing fraudulent documents.
Anatomy of an Attack
In a typical scenario, contractors receive an urgent DocuSign request that mimics communication from a regulatory agency. Some of the examples presented by SlashNext include:
-
A contractor in Milwaukee might receive a notification, allegedly from the city’s Department of Public Works, regarding a $2.8 million project. The document requests immediate approval of a $175,000 change order for materials.
-
In North Carolina, a contractor working on a $12 million hospital project might be asked for an $85,000 emergency compliance bond to avoid a shutdown.
These documents appear legitimate and use accurate terminology to pressure recipients into quick action without verification.
Why These Attacks Work
Several factors contribute to the success of these schemes:
-
They use DocuSign’s real infrastructure, bypassing security filters
-
Messages are timed with licensing cycles and mimic familiar industry terms
-
Victims are pressed for immediate responses to avoid project delays or compliance issues
“This is an example of where we cannot blame the victim for being susceptible to social engineering. The victim is following the process they have been trained and expected to follow,” explained Jason Soroko, a senior fellow at Sectigo.
“The flaw is that the victim has been given no way to verify the request’s source. It’s essentially a break in trust. This flaw will require a rethink of how to provide signature requests, and it will likely mean some kind of strong authentication method.”
Read more on phishing attacks: 82% of Phishing Sites Now Target Mobile Devices
Broader Implications
The financial stakes are high. Victims face immediate losses from unauthorized payments and long-term disruptions to their operations, such as delays in contract renewals or project bids. Common red flags include unexpected license renewal notices, irregular payment routing and requests for atypical documentation.
To combat these threats, businesses must establish robust verification processes for sensitive communications and educate staff on recognizing phishing attempts.
“One tip would be for those employees who use DocuSign regularly is to install the app on your phone as well,” said John Bambenek, President at Bambenek Consulting.
“Whenever a legitimate DocuSign document is routed for signature, you will get an app notification on your phone. This can provide another cue that an inbound email is a phish if an app notification doesn’t come along with it.”